[Pkg-net-snmp-devel] Bug#516801: Fw: CVE-2008-6123 applies to snmpd in lucid (and sid)
Corey Wright
undefined at pobox.com
Wed Jun 2 02:05:51 UTC 2010
the vulnerability seems to still exist in the 5.4.2.1~dfsg-5 source package.
i sent the attached email to the debian developers [1] nearly 48 hours ago
and it hasn't appeared in the pkg-net-snmp-devel archives, so i'm presuming
it got caught in a spam filter somewhere and instead hoping for better luck
filing it as a comment to bug #516801.
as the attached email states, sid's 5.4.2.1~dfsg-5 appears to be vulnerable
based on its snmplib/snmpUDPDomain.c and lack of applicable patches in
debian/patches.
i don't know what the previous patch looked like, but the attached patch
should apply cleanly as it takes into account debian's/ubuntu's incorrect
"%hd" (vs upstream's "%hu").
if i overlooked something in my analysis (as i did not observe the bug in
the resulting binary as i did with ubuntu's version, but just examined the
source code), then please disregard this email.
thanks for packaging net-snmp (as i run it on my lenny installations
without any problems)!
corey
--
undefined at pobox.com
[1] pkg-net-snmp-devel at lists.alioth.debian.org
[2] http://lists.alioth.debian.org/pipermail/pkg-net-snmp-devel/
-------------- next part --------------
An embedded message was scrubbed...
From: Corey Wright <undefined at pobox.com>
Subject: CVE-2008-6123 applies to snmpd in lucid (and sid)
Date: Mon, 31 May 2010 02:28:53 -0500
Size: 6721
URL: <http://lists.alioth.debian.org/pipermail/pkg-net-snmp-devel/attachments/20100601/3ac4b5ec/attachment.eml>
More information about the Pkg-net-snmp-devel
mailing list