package/netsnmp: revert back to 5.9.3, backport security fix

In commit 13fc9dcb34926e9b6310b23662920c55c96d83a1, netsnmp was bumped
from 5.9.3 to 5.9.4 to fix two CVEs.

However, even though it's a minor version bump, there are actually 163
commits upstream between those two minor releases, and some of them
are breaking existing use-cases. In particular upstream
a2cb167514ac0c7e1b04e8f151e0b015501362e0 now requires that config_()
macros in MIB files are terminated with a semicolon, causing a build
breakage with existing MIB files that were totally valid with 5.9.3.

This commit therefore proposes to revert back to 5.9.3, by reverting
those two commits:

56caafceab3ec12669ccb7aa6fc8b653778064e1 package/netsnmp: fix musl build
13fc9dcb34926e9b6310b23662920c55c96d83a1 package/netsnmp: security bump to version 5.9.4

and instead revert the one upstream commit that fixes both CVEs.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
Note: for master, we probably want to keep the bump to 5.9.4, as it's
upstream decision. This commit is really intended for
2023.02.x (perhaps other maintenance branches), where we don't want to
break things for users.
---
 ...onfiguration-of-NETSNMP_FD_MASK_TYPE.patch | 38 ----------
 ...agent-disallow-SET-with-NULL-varbind.patch | 72 +++++++++++++++++++
 package/netsnmp/netsnmp.hash                  |  6 +-
 package/netsnmp/netsnmp.mk                    |  6 +-
 4 files changed, 80 insertions(+), 42 deletions(-)
 delete mode 100644 package/netsnmp/0001-Fix-configuration-of-NETSNMP_FD_MASK_TYPE.patch
 create mode 100644 package/netsnmp/0001-snmp_agent-disallow-SET-with-NULL-varbind.patch

On Thu, Nov 16 2023, Thomas Petazzoni via buildroot wrote:
> In commit 13fc9dcb34926e9b6310b23662920c55c96d83a1, netsnmp was bumped
> from 5.9.3 to 5.9.4 to fix two CVEs.
>
> However, even though it's a minor version bump, there are actually 163
> commits upstream between those two minor releases, and some of them
> are breaking existing use-cases. In particular upstream
> a2cb167514ac0c7e1b04e8f151e0b015501362e0 now requires that config_()
> macros in MIB files are terminated with a semicolon, causing a build
> breakage with existing MIB files that were totally valid with 5.9.3.
>
> This commit therefore proposes to revert back to 5.9.3, by reverting
> those two commits:
>
> 56caafceab3ec12669ccb7aa6fc8b653778064e1 package/netsnmp: fix musl build
> 13fc9dcb34926e9b6310b23662920c55c96d83a1 package/netsnmp: security bump to version 5.9.4
>
> and instead revert the one upstream commit that fixes both CVEs.

s/revert/backport/, I guess?

baruch

On Thu, 16 Nov 2023 16:01:03 +0200
Baruch Siach <baruch@tkos.co.il> wrote:

> > 56caafceab3ec12669ccb7aa6fc8b653778064e1 package/netsnmp: fix musl build
> > 13fc9dcb34926e9b6310b23662920c55c96d83a1 package/netsnmp: security bump to version 5.9.4
> >
> > and instead revert the one upstream commit that fixes both CVEs.  
> 
> s/revert/backport/, I guess?

Dang, yes, of course :-/

Thomas

Thomas, All,

On 2023-11-16 14:51 +0100, Thomas Petazzoni via buildroot spake thusly:
> In commit 13fc9dcb34926e9b6310b23662920c55c96d83a1, netsnmp was bumped
> from 5.9.3 to 5.9.4 to fix two CVEs.
> 
> However, even though it's a minor version bump, there are actually 163
> commits upstream between those two minor releases, and some of them
> are breaking existing use-cases. In particular upstream
> a2cb167514ac0c7e1b04e8f151e0b015501362e0 now requires that config_()
> macros in MIB files are terminated with a semicolon, causing a build
> breakage with existing MIB files that were totally valid with 5.9.3.
> 
> This commit therefore proposes to revert back to 5.9.3, by reverting
> those two commits:
> 
> 56caafceab3ec12669ccb7aa6fc8b653778064e1 package/netsnmp: fix musl build
> 13fc9dcb34926e9b6310b23662920c55c96d83a1 package/netsnmp: security bump to version 5.9.4
> 
> and instead revert the one upstream commit that fixes both CVEs.

s/revert/backport/ as noticed by Baruch.

> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Applied to master, thanks.

> ---
> Note: for master, we probably want to keep the bump to 5.9.4, as it's
> upstream decision. This commit is really intended for
> 2023.02.x (perhaps other maintenance branches), where we don't want to
> break things for users.

I saw that comment a bit too late, and pushed to master.

However, after reasing the CHANGES file, I noticed that:

    IMPORTANT: SNMP over TLS and/or DTLS are not functioning properly
    in this release with various versions of OpenSSL and will be fixed
    in a future release.

So, it was anyway a good idea to revert (pfeew...)

Regards,
Yann E. MORIN.

> ---
>  ...onfiguration-of-NETSNMP_FD_MASK_TYPE.patch | 38 ----------
>  ...agent-disallow-SET-with-NULL-varbind.patch | 72 +++++++++++++++++++
>  package/netsnmp/netsnmp.hash                  |  6 +-
>  package/netsnmp/netsnmp.mk                    |  6 +-
>  4 files changed, 80 insertions(+), 42 deletions(-)
>  delete mode 100644 package/netsnmp/0001-Fix-configuration-of-NETSNMP_FD_MASK_TYPE.patch
>  create mode 100644 package/netsnmp/0001-snmp_agent-disallow-SET-with-NULL-varbind.patch
> 
> diff --git a/package/netsnmp/0001-Fix-configuration-of-NETSNMP_FD_MASK_TYPE.patch b/package/netsnmp/0001-Fix-configuration-of-NETSNMP_FD_MASK_TYPE.patch
> deleted file mode 100644
> index 91a00aec27..0000000000
> --- a/package/netsnmp/0001-Fix-configuration-of-NETSNMP_FD_MASK_TYPE.patch
> +++ /dev/null
> @@ -1,38 +0,0 @@
> -From a62169f1fa358be8f330ea8519ade0610fac525b Mon Sep 17 00:00:00 2001
> -From: Adam Gajda <adgajda@users.noreply.github.com>
> -Date: Mon, 2 Oct 2023 16:40:31 +0200
> -Subject: [PATCH] Fix configuration of NETSNMP_FD_MASK_TYPE
> -
> -Upstream: https://github.com/net-snmp/net-snmp/commit/a62169f1fa358be8f330ea8519ade0610fac525b
> -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ----
> - configure                        | 2 +-
> - configure.d/config_project_types | 2 +-
> - 2 files changed, 2 insertions(+), 2 deletions(-)
> -
> -diff --git a/configure b/configure
> -index 9f0a173d8a..945a27c663 100755
> ---- a/configure
> -+++ b/configure
> -@@ -30871,7 +30871,7 @@ CFLAGS="$CFLAGS -Werror"
> - 
> - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for the type of fd_set::fds_bits" >&5
> - printf %s "checking for the type of fd_set::fds_bits... " >&6; }
> --for type in __fd_mask __int32_t unknown; do
> -+for type in __fd_mask __int32_t long\ int unknown; do
> -   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
> - /* end confdefs.h.  */
> - 
> -diff --git a/configure.d/config_project_types b/configure.d/config_project_types
> -index 1b4c66b95e..a78e8ebb06 100644
> ---- a/configure.d/config_project_types
> -+++ b/configure.d/config_project_types
> -@@ -66,7 +66,7 @@ netsnmp_save_CFLAGS=$CFLAGS
> - CFLAGS="$CFLAGS -Werror"
> - 
> - AC_MSG_CHECKING([for the type of fd_set::fds_bits])
> --for type in __fd_mask __int32_t unknown; do
> -+for type in __fd_mask __int32_t long\ int unknown; do
> -   AC_COMPILE_IFELSE([AC_LANG_PROGRAM([
> - #include <sys/select.h>
> - #include <stddef.h>
> diff --git a/package/netsnmp/0001-snmp_agent-disallow-SET-with-NULL-varbind.patch b/package/netsnmp/0001-snmp_agent-disallow-SET-with-NULL-varbind.patch
> new file mode 100644
> index 0000000000..3a6321d7a7
> --- /dev/null
> +++ b/package/netsnmp/0001-snmp_agent-disallow-SET-with-NULL-varbind.patch
> @@ -0,0 +1,72 @@
> +From b07627fa67c686b07d1eab123cf3e4887a2a93aa Mon Sep 17 00:00:00 2001
> +From: Bill Fenner <fenner@gmail.com>
> +Date: Fri, 25 Nov 2022 08:41:24 -0800
> +Subject: [PATCH] snmp_agent: disallow SET with NULL varbind
> +
> +Upstream: https://github.com/net-snmp/net-snmp/commit/4589352dac3ae111c7621298cf231742209efd9b
> +
> +[Thomas: this commit was merged as part of
> +https://github.com/net-snmp/net-snmp/pull/490/commits, which fixes
> +https://github.com/net-snmp/net-snmp/issues/474 (CVE-2022-44792) and
> +https://github.com/net-snmp/net-snmp/issues/475 (CVE-2022-44793). The
> +other two commits merged as part of this pull request are related to
> +adding a non-regression test for this, which is not relevant for the
> +security fix itself.]
> +
> +Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> +---
> + agent/snmp_agent.c | 32 ++++++++++++++++++++++++++++++++
> + 1 file changed, 32 insertions(+)
> +
> +diff --git a/agent/snmp_agent.c b/agent/snmp_agent.c
> +index 867d0c166f..3f678fe2df 100644
> +--- a/agent/snmp_agent.c
> ++++ b/agent/snmp_agent.c
> +@@ -3719,12 +3719,44 @@ netsnmp_handle_request(netsnmp_agent_session *asp, int status)
> +     return 1;
> + }
> + 
> ++static int
> ++check_set_pdu_for_null_varbind(netsnmp_agent_session *asp)
> ++{
> ++    int i;
> ++    netsnmp_variable_list *v = NULL;
> ++
> ++    for (i = 1, v = asp->pdu->variables; v != NULL; i++, v = v->next_variable) {
> ++	if (v->type == ASN_NULL) {
> ++	    /*
> ++	     * Protect SET implementations that do not protect themselves
> ++	     * against wrong type.
> ++	     */
> ++	    DEBUGMSGTL(("snmp_agent", "disallowing SET with NULL var for varbind %d\n", i));
> ++	    asp->index = i;
> ++	    return SNMP_ERR_WRONGTYPE;
> ++	}
> ++    }
> ++    return SNMP_ERR_NOERROR;
> ++}
> ++
> + int
> + handle_pdu(netsnmp_agent_session *asp)
> + {
> +     int             status, inclusives = 0;
> +     netsnmp_variable_list *v = NULL;
> + 
> ++#ifndef NETSNMP_NO_WRITE_SUPPORT
> ++    /*
> ++     * Check for ASN_NULL in SET request
> ++     */
> ++    if (asp->pdu->command == SNMP_MSG_SET) {
> ++	status = check_set_pdu_for_null_varbind(asp);
> ++	if (status != SNMP_ERR_NOERROR) {
> ++	    return status;
> ++	}
> ++    }
> ++#endif /* NETSNMP_NO_WRITE_SUPPORT */
> ++
> +     /*
> +      * for illegal requests, mark all nodes as ASN_NULL 
> +      */
> +-- 
> +2.41.0
> +
> diff --git a/package/netsnmp/netsnmp.hash b/package/netsnmp/netsnmp.hash
> index 7898941271..e1e9d10898 100644
> --- a/package/netsnmp/netsnmp.hash
> +++ b/package/netsnmp/netsnmp.hash
> @@ -1,7 +1,7 @@
>  # Locally calculated after checking pgp signature at
> -# https://sourceforge.net/projects/net-snmp/files/net-snmp/5.9.4/net-snmp-5.9.4.tar.gz.asc
> -# using key 6E6718AEF1EB5C65C32D1B2A356BC0B552D53CAB
> -sha256  8b4de01391e74e3c7014beb43961a2d6d6fa03acc34280b9585f4930745b0544  net-snmp-5.9.4.tar.gz
> +# https://sourceforge.net/projects/net-snmp/files/net-snmp/5.9.3/net-snmp-5.9.3.tar.gz.asc
> +# using key D0F8F495DA6160C44EFFBF10F07B9D2DACB19FD6
> +sha256  2097f29b7e1bf3f1300b4bae52fa2308d0bb8d5d3998dbe02f9462a413a2ef0a  net-snmp-5.9.3.tar.gz
>  
>  # Hash for license file
>  sha256  ed869ea395a1f125819a56676385ab0557a21507764bf56f2943302011381e59  COPYING
> diff --git a/package/netsnmp/netsnmp.mk b/package/netsnmp/netsnmp.mk
> index b5cda30a7b..fafd604879 100644
> --- a/package/netsnmp/netsnmp.mk
> +++ b/package/netsnmp/netsnmp.mk
> @@ -4,13 +4,17 @@
>  #
>  ################################################################################
>  
> -NETSNMP_VERSION = 5.9.4
> +NETSNMP_VERSION = 5.9.3
>  NETSNMP_SITE = https://downloads.sourceforge.net/project/net-snmp/net-snmp/$(NETSNMP_VERSION)
>  NETSNMP_SOURCE = net-snmp-$(NETSNMP_VERSION).tar.gz
>  NETSNMP_LICENSE = Various BSD-like
>  NETSNMP_LICENSE_FILES = COPYING
>  NETSNMP_CPE_ID_VENDOR = net-snmp
>  NETSNMP_CPE_ID_PRODUCT = $(NETSNMP_CPE_ID_VENDOR)
> +# 0001-snmp_agent-disallow-SET-with-NULL-varbind.patch
> +NETSNMP_IGNORE_CVES = \
> +	CVE-2022-44792 \
> +	CVE-2022-44793
>  NETSNMP_SELINUX_MODULES = snmp
>  NETSNMP_INSTALL_STAGING = YES
>  NETSNMP_CONF_ENV = \
> -- 
> 2.41.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

On 26/11/2023 18.34, Yann E. MORIN wrote:
> Thomas, All,
> 
> On 2023-11-16 14:51 +0100, Thomas Petazzoni via buildroot spake thusly:
>> In commit 13fc9dcb34926e9b6310b23662920c55c96d83a1, netsnmp was bumped
>> from 5.9.3 to 5.9.4 to fix two CVEs.
>>
>> However, even though it's a minor version bump, there are actually 163
>> commits upstream between those two minor releases, and some of them
>> are breaking existing use-cases. In particular upstream
>> a2cb167514ac0c7e1b04e8f151e0b015501362e0 now requires that config_()
>> macros in MIB files are terminated with a semicolon, causing a build
>> breakage with existing MIB files that were totally valid with 5.9.3.
>>
>> This commit therefore proposes to revert back to 5.9.3, by reverting
>> those two commits:
>>
>> 56caafceab3ec12669ccb7aa6fc8b653778064e1 package/netsnmp: fix musl build
>> 13fc9dcb34926e9b6310b23662920c55c96d83a1 package/netsnmp: security bump to version 5.9.4
>>
>> and instead revert the one upstream commit that fixes both CVEs.
> 
> s/revert/backport/ as noticed by Baruch.
> 
>> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> 
> Applied to master, thanks.
> 
>> ---
>> Note: for master, we probably want to keep the bump to 5.9.4, as it's
>> upstream decision. This commit is really intended for
>> 2023.02.x (perhaps other maintenance branches), where we don't want to
>> break things for users.
> 
> I saw that comment a bit too late, and pushed to master.
> 
> However, after reasing the CHANGES file, I noticed that:
> 
>      IMPORTANT: SNMP over TLS and/or DTLS are not functioning properly
>      in this release with various versions of OpenSSL and will be fixed
>      in a future release.
> 
> So, it was anyway a good idea to revert (pfeew...)

Yeah, lets release 2023.11 with 5.9.3 and then revisit this issue for 
2024.02.

Committed to 2023.02.x and 2023.08.x, thanks.