Bug#972149: buster-pu: package net-snmp/5.7.3+dfsg-5+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
[ Reason ]
The security release in deb10u1 made EXTEND-MIB read-only
to close a security hole (CVE-2020-15862/Bug #9651166)
However this meant the cacheTime and execType could not be
changed which caused problems with some SNMP managers or setups.
[ Impact ]
The cachetime and execType cannot be set anywhere as these
parameters appear in net-snmp 5.8 which is in sid but not
buster.
[ Tests ]
Tested with Ubuntu
https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1892980
Upstream have the patch and their tests:
https://sourceforge.net/p/net-snmp/patches/1290/
My tests.
Install the candidate snmpd on a Debian10 VM
Configuration file is:
rocommunity public default
extend -cacheTime 10 test /usr/bin/date
Run snmpd using this configuration file
On a different host, run
watch -d snmpwalk -v 1 -c public {test_server_ip} .1.3.6.1.4.1.8072.1.3.2.3.1.1.4
Notice the date only changes approximately every 10 seconds as the
result is cached.
[ Risks ]
The patch is about 30 additional lines. Most users probably don't
use the "extend" option so won't exercise this or the buggy setup.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in (old)stable
[*] the issue is verified as fixed in unstable
[ Changes ]
Adds two options to the extend command line parameter
[ Other info ]
None
- -- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.8.0-3-amd64 (SMP w/8 CPU threads)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl+FgaoSHGNzbWFsbEBk
ZWJpYW4ub3JnAAoJEAIhZsD/PITjmX8P/1fCfD2sAxLcc+eC+e5PiIyBVSog2YuI
qytA2SxzXYLXQtOUJeafAM/zqB1qNGvRbTYSPSo9HxRM1L5gUWKIdnENBAoJv4Pd
xnv9Sfsay5Hn+MGecZDkOOybRDK0KrJpPhYg2lO3sZeuilwEKPMnIJ7xoHZD8gDO
V4t+kOFS0AF/EYgAs18NmgemRTjqvCllTiHsrLRLWIdsE7X2N7C44l5Bg5BQAk/V
s/cAuIzZsMxDlMlofLmbWy6yahQiV8UwtG8DTewx4j9seVRUXHgp7i5ibR3yMffS
BbcA4OhBjCe0VHVUcvqSBvEkZY8+v68ifRXQZ9A4M4whQqyICws9MM3Z4HbGxAwc
j67VH9cL6wt9c4vNu+cxW8fts9GeGmOAMJoriqS/+w1rmzlO9Rza2krDcrBLbJQx
5Nc0YYk9TtwRhaeNK2vaIZM8Mj37mq6EbJh9lQ3oP3CR3goWIb9P2n2II/ICvbIY
llQC6fa8V8G/Hv2qOVTqU/qdwCgIeMnjl6nV66Sb64CjkCfa5Adj1z7lXkQvVezt
omCmi+AwdbJLWPxjL8hPoZzSzBTphKcz3D+RxSh6RbIf5wtnm4zD5+eHe1mP21Gs
4QLWjq9RDDSawmH2qWl4EQ4Fba7xJGaw6vkMLiLhAPEPQ+yBjwMdHvd91PdeyMHS
u6+o1BU2BGmq
=gGjJ
-----END PGP SIGNATURE-----
diff -Nru net-snmp-5.7.3+dfsg/debian/changelog net-snmp-5.7.3+dfsg/debian/changelog
--- net-snmp-5.7.3+dfsg/debian/changelog 2020-07-31 20:53:22.000000000 +1000
+++ net-snmp-5.7.3+dfsg/debian/changelog 2020-09-07 07:16:17.000000000 +1000
@@ -1,3 +1,13 @@
+net-snmp (5.7.3+dfsg-5+deb10u2) buster-security; urgency=high
+
+ * snmpd: Add cacheTime and execType flags to EXTEND-MIB.
+ Previous security release made EXTEND-MIB read-only which meant
+ it was not possible to set the timeout of the cache. This patch
+ allows administrator to set the value in the snmpd.conf file.
+ Closes: #969508
+
+ -- Craig Small <csmall@debian.org> Mon, 07 Sep 2020 07:16:17 +1000
+
net-snmp (5.7.3+dfsg-5+deb10u1) buster-security; urgency=high
* snmpd: Make EXTEND-MIB readonly access
diff -Nru net-snmp-5.7.3+dfsg/debian/patches/series net-snmp-5.7.3+dfsg/debian/patches/series
--- net-snmp-5.7.3+dfsg/debian/patches/series 2020-07-31 20:53:22.000000000 +1000
+++ net-snmp-5.7.3+dfsg/debian/patches/series 2020-09-07 07:16:17.000000000 +1000
@@ -44,3 +44,4 @@
snmpd_stop_mib_indexes_files
snmp_snmptrapd_disallow_user_change
+snmpd_cachetime_exectype
diff -Nru net-snmp-5.7.3+dfsg/debian/patches/snmpd_cachetime_exectype net-snmp-5.7.3+dfsg/debian/patches/snmpd_cachetime_exectype
--- net-snmp-5.7.3+dfsg/debian/patches/snmpd_cachetime_exectype 1970-01-01 10:00:00.000000000 +1000
+++ net-snmp-5.7.3+dfsg/debian/patches/snmpd_cachetime_exectype 2020-09-07 07:16:17.000000000 +1000
@@ -0,0 +1,85 @@
+Description: Add a couple of optional flags to the "extend" config
+ directive, enabling non-volatile configuration of a couple of aspects that so
+ far have been configurable only temporarily via SETs:
+ -cacheTime specifies the cache timeout
+Author: Jeff Gehlbach <jeffg@opennms.org>
+Origin: upstream, https://github.com/net-snmp/net-snmp/commit/d8b12900629ed73a78b27535f08c4f0a721a93be
+Bug-Debian: https://bugs.debian.org/969508
+Applied-Upstream: 5.8
+Reviewed-by: Craig Small <csmall@debian.org>
+Last-Update: 2020-09-05
+--- a/agent/mibgroup/agent/extend.c
++++ b/agent/mibgroup/agent/extend.c
+@@ -528,8 +528,27 @@
+ size_t oid_len;
+ extend_registration_block *eptr;
+ int flags;
++ char cache_timeout_str[STRMAX];
++ int cache_timeout = 0;
++ char exec_type_str[STRMAX];
++ int exec_type = NS_EXTEND_ETYPE_EXEC;
+
+ cptr = copy_nword(cptr, exec_name, sizeof(exec_name));
++ if ( !strcmp( exec_name, "-cacheTime") ) {
++ cptr = copy_nword(cptr, cache_timeout_str, sizeof(cache_timeout_str));
++ /* If atoi can't do the conversion, it returns 0 */
++ cache_timeout = atoi(cache_timeout_str);
++ cptr = copy_nword(cptr, exec_name, sizeof(exec_name));
++ }
++ if ( !strcmp( exec_name, "-execType") ) {
++ cptr = copy_nword(cptr, exec_type_str, sizeof(exec_type_str));
++ if ( !strcmp( exec_type_str, "sh" ) ) {
++ exec_type = NS_EXTEND_ETYPE_SHELL;
++ } else {
++ exec_type = NS_EXTEND_ETYPE_EXEC;
++ }
++ cptr = copy_nword(cptr, exec_name, sizeof(exec_name));
++ }
+ if ( *exec_name == '.' ) {
+ oid_len = MAX_OID_LEN - 2;
+ if (0 == read_objid( exec_name, oid_buf, &oid_len )) {
+@@ -551,7 +570,8 @@
+ flags = (NS_EXTEND_FLAGS_ACTIVE | NS_EXTEND_FLAGS_CONFIG);
+ if (!strcmp( token, "sh" ) ||
+ !strcmp( token, "extend-sh" ) ||
+- !strcmp( token, "sh2" ))
++ !strcmp( token, "sh2" ) ||
++ exec_type == NS_EXTEND_ETYPE_SHELL)
+ flags |= NS_EXTEND_FLAGS_SHELL;
+ if (!strcmp( token, "execFix" ) ||
+ !strcmp( token, "extendfix" ) ||
+@@ -572,6 +592,8 @@
+ extension->command = strdup( exec_command );
+ if (cptr)
+ extension->args = strdup( cptr );
++ if (cache_timeout != 0)
++ extension->cache->timeout = cache_timeout;
+ } else {
+ snmp_log(LOG_ERR, "Failed to register extend entry '%s' - possibly duplicate name.\n", exec_name );
+ return;
+--- a/man/snmpd.conf.5.def
++++ b/man/snmpd.conf.5.def
+@@ -1284,7 +1284,7 @@
+ .PP
+ \fIexec\fR and \fIsh\fR extensions can only be configured via the
+ snmpd.conf file. They cannot be set up via SNMP SET requests.
+-.IP "extend [MIBOID] NAME PROG ARGS"
++.IP "extend [-cacheTime TIME] [-execType TYPE] [MIBOID] NAME PROG ARGS"
+ works in a similar manner to the \fIexec\fR directive, but with a number
+ of improvements. The MIB tables (\fInsExtendConfigTable\fR
+ etc) are indexed by the NAME token, so are unaffected by the order in
+@@ -1294,6 +1294,14 @@
+ for each \fIextend\fR entry, and the other (\fInsExtendOutput2Table\fR)
+ containing the complete output as a series of separate lines.
+ .IP
++If -cacheTime is specified, then its argument is used as the cache timeout
++(in whole seconds) for this \fIextend\fR entry. This mechanism provides a
++non-volatile way to specify the cache timeout.
++.IP
++If -execType is specified and has a value of \fIsh\fR, then this \fIextend\fR
++entry will be run in a shell. Otherwise it will be run in the default \fIexec\fR
++fashion. This mechanism provides a non-volatile way to specify the exec type.
++.IP
+ If MIBOID is specified, then the configuration and result tables will be rooted
+ at this point in the OID tree, but are otherwise structured in exactly
+ the same way. This means that several separate \fIextend\fR
Reply to: