Bug 1072044 - snmptrapd segfaults under specific conditions
Summary: snmptrapd segfaults under specific conditions
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: net-snmp
Version: 5.10
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Jan Safranek
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: CVE-2014-2285
TreeView+ depends on / blocked
 
Reported: 2014-03-03 18:41 UTC by viliam.pucik
Modified: 2015-01-12 19:27 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-02 13:00:36 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Fixes newSVpv calls (1.60 KB, patch)
2014-03-03 18:41 UTC, viliam.pucik 		no flags Details | Diff
View All

Description viliam.pucik 2014-03-03 18:41:20 UTC 
Created attachment 870071 [details]
Fixes newSVpv calls

Description of problem:

Sending SNMP trap with empty community string crashes snmptrapd if Perl handler is enabled.

Version-Release number of selected component (if applicable):

net-snmp-perl-5.3.2.2

How reproducible:

Steps to Reproduce:
1. Install net-snmp-perl:

yum install net-snmp-perl

2. Enable Perl handler for snmptrapd:

echo 'NetSNMP::TrapReceiver::register( "all", sub {} );' > /etc/snmp/handler.pl
echo 'disableAuthorization yes' > /etc/snmp/snmptrapd.conf
echo 'perl do "/etc/snmp/handler.pl"' >> /etc/snmp/snmptrapd.conf

4. Start snmptrapd:

/usr/sbin/snmptrapd -C -c /etc/snmp/snmptrapd.conf -n -Le -f


3. Submit a trap with empty community string:

snmptrap -v 2c -c "" localhost "" .1

Actual results:

snmptrapd segfaults.

Expected results:

snmptrapd should continue running.

Additional info:

The issues is caused by Perl's 5.8.8 newSVpv() function which crashes if the first argument is NULL (https://sourceforge.net/p/net-snmp/patches/1275/). Attached is a patch for RHEL5.
Comment 3 Jan Safranek 2014-03-06 08:41:56 UTC 
Thanks for the bug report and the patch. I've pushed the patch upstream.
Comment 4 RHEL Program Management 2014-03-07 12:12:01 UTC 
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in the  last planned RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX. To request that Red Hat re-consider this request, please re-open the bugzilla via  appropriate support channels and provide additional business and/or technical details about its importance to you.
Comment 5 Jan Safranek 2014-03-07 12:35:06 UTC 
Villiam,

the comment #4 is automatically generated. While this bug report may be closed soon, it has security implications, which are tracked in separate bug #1072778 and the crashing snmptrapd _should_ be fixed in RHEL 5 eventually.

[yeah, messy, but Bugzilla is an engineering tool...]
Comment 6 RHEL Program Management 2014-06-02 13:00:36 UTC 
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in RHEL5 stream. If the issue is critical for your business, please provide additional business justification through the appropriate support channels (https://access.redhat.com/site/support).
Comment 7 viliam.pucik 2015-01-12 19:27:30 UTC 
OK, thank you Jan for including the patch in the upstream.
Note You need to log in before you can comment on or make changes to this bug.