openkylin
/
net-snmp
mirror of https://gitee.com/openkylin/net-snmp.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

CVE-2020-15861 安全更新:Net-SNMP 5.7.3及之前版本中存在安全漏洞。攻击者可利用该漏洞将权限提升至root。

This commit is contained in:
lyc 2023-03-02 21:30:24 +08:00
parent 4741bf9374
commit dbb92834b1
5 changed files with 10 additions and 205 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
debian/changelog vendored
View File

@ -1,3 +1,9 @@
net-snmp (5.8+dfsg-ok4) yangtze; urgency=medium
* chengmei-of-shentian CVE-2020-15861 安全更新Net-SNMP 5.7.3及之前版本中存在安全漏洞。攻击者可利用该漏洞将权限提升至root。
-- lyc <2929773852@bupt.edu.cn> Thu, 02 Mar 2023 21:29:25 +0800
net-snmp (5.8+dfsg-ok3) yangtze; urgency=medium net-snmp (5.8+dfsg-ok3) yangtze; urgency=medium
* zfj_h CVE-2019-20892 安全更新Net-SNMP 5.8.1.pre1之前版本中的资源管理错误漏洞. * zfj_h CVE-2019-20892 安全更新Net-SNMP 5.8.1.pre1之前版本中的资源管理错误漏洞.

3
include/net-snmp/library/mib.h
View File

@ -124,9 +124,6 @@ SOFTWARE.
NETSNMP_IMPORT NETSNMP_IMPORT
char *netsnmp_get_mib_directory(void); char *netsnmp_get_mib_directory(void);
void netsnmp_fixup_mib_directory(void); void netsnmp_fixup_mib_directory(void);
void netsnmp_mibindex_load( void );
char * netsnmp_mibindex_lookup( const char * );
FILE * netsnmp_mibindex_new( const char * );
int sprint_realloc_description(u_char ** buf, size_t * buf_len, int sprint_realloc_description(u_char ** buf, size_t * buf_len,
size_t * out_len, int allow_realloc, size_t * out_len, int allow_realloc,
oid * objid, size_t objidlen, int width); oid * objid, size_t objidlen, int width);

2
include/net-snmp/library/parse.h
View File

@ -201,7 +201,7 @@ SOFTWARE.
#endif #endif
void netsnmp_init_mib_internals(void); void netsnmp_init_mib_internals(void);
void unload_all_mibs(void); void unload_all_mibs(void);
int add_mibfile(const char*, const char*, FILE *); int add_mibfile(const char*, const char*);
int which_module(const char *); int which_module(const char *);
NETSNMP_IMPORT NETSNMP_IMPORT
char *module_name(int, char *); char *module_name(int, char *);

148
snmplib/mib.c
View File

@ -2717,7 +2717,6 @@ netsnmp_init_mib(void)
env_var = strdup(netsnmp_get_mib_directory()); env_var = strdup(netsnmp_get_mib_directory());
if (!env_var) if (!env_var)
return; return;
netsnmp_mibindex_load();
DEBUGMSGTL(("init_mib", DEBUGMSGTL(("init_mib",
"Seen MIBDIRS: Looking in '%s' for mib dirs ...\n", "Seen MIBDIRS: Looking in '%s' for mib dirs ...\n",
@ -2737,7 +2736,7 @@ netsnmp_init_mib(void)
else else
entry = strtok_r(env_var, ENV_SEPARATOR, &st); entry = strtok_r(env_var, ENV_SEPARATOR, &st);
while (entry) { while (entry) {
add_mibfile(entry, NULL, NULL); add_mibfile(entry, NULL);
entry = strtok_r(NULL, ENV_SEPARATOR, &st); entry = strtok_r(NULL, ENV_SEPARATOR, &st);
} }
} }
@ -2888,142 +2887,6 @@ init_mib(void)
#endif #endif
/*
* Handle MIB indexes centrally
*/
static int _mibindex = 0; /* Last index in use */
static int _mibindex_max = 0; /* Size of index array */
char **_mibindexes = NULL;
int _mibindex_add( const char *dirname, int i );
void
netsnmp_mibindex_load( void )
{
DIR *dir;
struct dirent *file;
FILE *fp;
char tmpbuf[ 300];
char tmpbuf2[300];
int i;
char *cp;
/*
* Open the MIB index directory, or create it (empty)
*/
snprintf( tmpbuf, sizeof(tmpbuf), "%s/mib_indexes",
get_persistent_directory());
tmpbuf[sizeof(tmpbuf)-1] = 0;
dir = opendir( tmpbuf );
if ( dir == NULL ) {
DEBUGMSGTL(("mibindex", "load: (new)\n"));
mkdirhier( tmpbuf, NETSNMP_AGENT_DIRECTORY_MODE, 0);
return;
}
/*
* Create a list of which directory each file refers to
*/
while ((file = readdir( dir ))) {
if ( !isdigit((unsigned char)(file->d_name[0])))
continue;
i = atoi( file->d_name );
snprintf( tmpbuf, sizeof(tmpbuf), "%s/mib_indexes/%d",
get_persistent_directory(), i );
tmpbuf[sizeof(tmpbuf)-1] = 0;
fp = fopen( tmpbuf, "r" );
if (!fp)
continue;
cp = fgets( tmpbuf2, sizeof(tmpbuf2), fp );
fclose( fp );
if ( !cp ) {
DEBUGMSGTL(("mibindex", "Empty MIB index (%d)\n", i));
continue;
}
if ( strncmp( tmpbuf2, "DIR ", 4 ) != 0 ) {
DEBUGMSGTL(("mibindex", "Malformed MIB index (%d)\n", i));
continue;
}
tmpbuf2[strlen(tmpbuf2)-1] = 0;
DEBUGMSGTL(("mibindex", "load: (%d) %s\n", i, tmpbuf2));
(void)_mibindex_add( tmpbuf2+4, i ); /* Skip 'DIR ' */
}
closedir( dir );
}
char *
netsnmp_mibindex_lookup( const char *dirname )
{
int i;
static char tmpbuf[300];
for (i=0; i<_mibindex; i++) {
if ( _mibindexes[i] &&
strcmp( _mibindexes[i], dirname ) == 0) {
snprintf(tmpbuf, sizeof(tmpbuf), "%s/mib_indexes/%d",
get_persistent_directory(), i);
tmpbuf[sizeof(tmpbuf)-1] = 0;
DEBUGMSGTL(("mibindex", "lookup: %s (%d) %s\n", dirname, i, tmpbuf ));
return tmpbuf;
}
}
DEBUGMSGTL(("mibindex", "lookup: (none)\n"));
return NULL;
}
int
_mibindex_add( const char *dirname, int i )
{
const int old_mibindex_max = _mibindex_max;
DEBUGMSGTL(("mibindex", "add: %s (%d)\n", dirname, i ));
if ( i == -1 )
i = _mibindex++;
if ( i >= _mibindex_max ) {
/*
* If the index array is full (or non-existent)
* then expand (or create) it
*/
_mibindex_max = i + 10;
_mibindexes = realloc(_mibindexes,
_mibindex_max * sizeof(_mibindexes[0]));
netsnmp_assert(_mibindexes);
memset(_mibindexes + old_mibindex_max, 0,
(_mibindex_max - old_mibindex_max) * sizeof(_mibindexes[0]));
}
_mibindexes[ i ] = strdup( dirname );
if ( i >= _mibindex )
_mibindex = i+1;
DEBUGMSGTL(("mibindex", "add: %d/%d/%d\n", i, _mibindex, _mibindex_max ));
return i;
}
FILE *
netsnmp_mibindex_new( const char *dirname )
{
FILE *fp;
char tmpbuf[300];
char *cp;
int i;
cp = netsnmp_mibindex_lookup( dirname );
if (!cp) {
i = _mibindex_add( dirname, -1 );
snprintf( tmpbuf, sizeof(tmpbuf), "%s/mib_indexes/%d",
get_persistent_directory(), i );
tmpbuf[sizeof(tmpbuf)-1] = 0;
cp = tmpbuf;
}
DEBUGMSGTL(("mibindex", "new: %s (%s)\n", dirname, cp ));
fp = fopen( cp, "w" );
if (fp)
fprintf( fp, "DIR %s\n", dirname );
return fp;
}
/** /**
* Unloads all mibs. * Unloads all mibs.
*/ */
@ -3038,15 +2901,6 @@ shutdown_mib(void)
} }
tree_head = NULL; tree_head = NULL;
Mib = NULL; Mib = NULL;
if (_mibindexes) {
int i;
for (i = 0; i < _mibindex; ++i)
SNMP_FREE(_mibindexes[i]);
free(_mibindexes);
_mibindex = 0;
_mibindex_max = 0;
_mibindexes = NULL;
}
if (Prefix != NULL && Prefix != &Standard_Prefix[0]) if (Prefix != NULL && Prefix != &Standard_Prefix[0])
SNMP_FREE(Prefix); SNMP_FREE(Prefix);
if (Prefix) if (Prefix)

56
snmplib/parse.c
View File

@ -607,8 +607,6 @@ static int read_module_replacements(const char *);
static int read_import_replacements(const char *, static int read_import_replacements(const char *,
struct module_import *); struct module_import *);
static void new_module(const char *, const char *);
static struct node *merge_parse_objectid(struct node *, FILE *, char *); static struct node *merge_parse_objectid(struct node *, FILE *, char *);
static struct index_list *getIndexes(FILE * fp, struct index_list **); static struct index_list *getIndexes(FILE * fp, struct index_list **);
static struct varbind_list *getVarbinds(FILE * fp, struct varbind_list **); static struct varbind_list *getVarbinds(FILE * fp, struct varbind_list **);
@ -4859,7 +4857,7 @@ snmp_get_token(FILE * fp, char *token, int maxtlen)
#endif /* NETSNMP_FEATURE_REMOVE_PARSE_GET_TOKEN */ #endif /* NETSNMP_FEATURE_REMOVE_PARSE_GET_TOKEN */
int int
add_mibfile(const char* tmpstr, const char* d_name, FILE *ip ) add_mibfile(const char* tmpstr, const char* d_name)
{ {
FILE *fp; FILE *fp;
char token[MAXTOKEN], token2[MAXTOKEN]; char token[MAXTOKEN], token2[MAXTOKEN];
@ -4884,8 +4882,6 @@ add_mibfile(const char* tmpstr, const char* d_name, FILE *ip )
*/ */
if (get_token(fp, token2, MAXTOKEN) == DEFINITIONS) { if (get_token(fp, token2, MAXTOKEN) == DEFINITIONS) {
new_module(token, tmpstr); new_module(token, tmpstr);
if (ip)
fprintf(ip, "%s %s\n", token, d_name);
fclose(fp); fclose(fp);
return 0; return 0;
} else { } else {
@ -4903,62 +4899,16 @@ add_mibfile(const char* tmpstr, const char* d_name, FILE *ip )
int int
add_mibdir(const char *dirname) add_mibdir(const char *dirname)
{ {
FILE *ip;
DIR *dir, *dir2; DIR *dir, *dir2;
const char *oldFile = File; const char *oldFile = File;
struct dirent *file; struct dirent *file;
char tmpstr[300]; char tmpstr[300];
int count = 0; int count = 0;
int fname_len = 0; int fname_len = 0;
#if !(defined(WIN32) || defined(cygwin))
char *token;
char space;
char newline;
struct stat dir_stat, idx_stat;
char tmpstr1[300];
#endif
DEBUGMSGTL(("parse-mibs", "Scanning directory %s\n", dirname)); DEBUGMSGTL(("parse-mibs", "Scanning directory %s\n", dirname));
#if !(defined(WIN32) || defined(cygwin))
token = netsnmp_mibindex_lookup( dirname );
if (token && stat(token, &idx_stat) == 0 && stat(dirname, &dir_stat) == 0) {
if (dir_stat.st_mtime < idx_stat.st_mtime) {
DEBUGMSGTL(("parse-mibs", "The index is good\n"));
if ((ip = fopen(token, "r")) != NULL) {
fgets(tmpstr, sizeof(tmpstr), ip); /* Skip dir line */
while (fscanf(ip, "%127s%c%299[^\n]%c", token, &space, tmpstr,
&newline) == 4) {
/*
* If an overflow of the token or tmpstr buffers has been
* found log a message and break out of the while loop,
* thus the rest of the file tokens will be ignored.
*/
if (space != ' ' || newline != '\n') {
snmp_log(LOG_ERR,
"add_mibdir: strings scanned in from %s/%s " \
"are too large. count = %d\n ", dirname,
".index", count);
break;
}
snprintf(tmpstr1, sizeof(tmpstr1), "%s/%s", dirname, tmpstr);
tmpstr1[ sizeof(tmpstr1)-1 ] = 0;
new_module(token, tmpstr1);
count++;
}
fclose(ip);
return count;
} else
DEBUGMSGTL(("parse-mibs", "Can't read index\n"));
} else
DEBUGMSGTL(("parse-mibs", "Index outdated\n"));
} else
DEBUGMSGTL(("parse-mibs", "No index\n"));
#endif
if ((dir = opendir(dirname))) { if ((dir = opendir(dirname))) {
ip = netsnmp_mibindex_new( dirname );
while ((file = readdir(dir))) { while ((file = readdir(dir))) {
/* /*
* Only parse file names that don't begin with a '.' * Only parse file names that don't begin with a '.'
@ -4979,7 +4929,7 @@ add_mibdir(const char *dirname)
*/ */
closedir(dir2); closedir(dir2);
} else { } else {
if ( !add_mibfile( tmpstr, file->d_name, ip )) if ( !add_mibfile( tmpstr, file->d_name))
count++; count++;
} }
} }
@ -4987,8 +4937,6 @@ add_mibdir(const char *dirname)
} }
File = oldFile; File = oldFile;
closedir(dir); closedir(dir);
if (ip)
fclose(ip);
return (count); return (count);
} }
else else