This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1072044 - snmptrapd segfaults under specific conditions
snmptrapd segfaults under specific conditions
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: net-snmp (Show other bugs)
5.10
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Jan Safranek
BaseOS QE Security Team
:
Depends On:
Blocks: CVE-2014-2285
  Show dependency treegraph
 
Reported: 2014-03-03 13:41 EST by viliam.pucik
Modified: 2015-01-12 14:27 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-02 09:00:36 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fixes newSVpv calls (1.60 KB, patch)
2014-03-03 13:41 EST, viliam.pucik
no flags Details | Diff

  None (edit)
Description viliam.pucik 2014-03-03 13:41:20 EST
Created attachment 870071 [details]
Fixes newSVpv calls

Description of problem:

Sending SNMP trap with empty community string crashes snmptrapd if Perl handler is enabled.

Version-Release number of selected component (if applicable):

net-snmp-perl-5.3.2.2

How reproducible:

Steps to Reproduce:
1. Install net-snmp-perl:

yum install net-snmp-perl

2. Enable Perl handler for snmptrapd:

echo 'NetSNMP::TrapReceiver::register( "all", sub {} );' > /etc/snmp/handler.pl
echo 'disableAuthorization yes' > /etc/snmp/snmptrapd.conf
echo 'perl do "/etc/snmp/handler.pl"' >> /etc/snmp/snmptrapd.conf

4. Start snmptrapd:

/usr/sbin/snmptrapd -C -c /etc/snmp/snmptrapd.conf -n -Le -f


3. Submit a trap with empty community string:

snmptrap -v 2c -c "" localhost "" .1

Actual results:

snmptrapd segfaults.

Expected results:

snmptrapd should continue running.

Additional info:

The issues is caused by Perl's 5.8.8 newSVpv() function which crashes if the first argument is NULL (https://sourceforge.net/p/net-snmp/patches/1275/). Attached is a patch for RHEL5.
Comment 3 Jan Safranek 2014-03-06 03:41:56 EST
Thanks for the bug report and the patch. I've pushed the patch upstream.
Comment 4 RHEL Product and Program Management 2014-03-07 07:12:01 EST
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in the  last planned RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX. To request that Red Hat re-consider this request, please re-open the bugzilla via  appropriate support channels and provide additional business and/or technical details about its importance to you.
Comment 5 Jan Safranek 2014-03-07 07:35:06 EST
Villiam,

the comment #4 is automatically generated. While this bug report may be closed soon, it has security implications, which are tracked in separate bug #1072778 and the crashing snmptrapd _should_ be fixed in RHEL 5 eventually.

[yeah, messy, but Bugzilla is an engineering tool...]
Comment 6 RHEL Product and Program Management 2014-06-02 09:00:36 EDT
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in RHEL5 stream. If the issue is critical for your business, please provide additional business justification through the appropriate support channels (https://access.redhat.com/site/support).
Comment 7 viliam.pucik 2015-01-12 14:27:30 EST
OK, thank you Jan for including the patch in the upstream.

Note You need to log in before you can comment on or make changes to this bug.