Date: Fri, 07 Mar 2014 10:38:46 +0530 From: Huzaifa Sidhpurwala <huzaifas@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request: net-snmp agentx incorrect handling of multi-object requests DoS On 03/06/2014 07:52 PM, Raphael Geissert wrote: > Hi, > > It was found that the AgentX subagent of net-snmp can be stalled when > a manager sends a multi-object request with a different number of > subids. From the Debian bug report: > >> This happens if one of the requested OID is larger than the previous one: >> >> agentx/master: request for variable (iso.188.8.131.52.184.108.40.206.7.7) >> agentx/master: request for variable (iso.220.127.116.11.18.104.22.168.2.10) >> agentx/master: request for variable (iso.22.214.171.124.126.96.36.199.8.7) >> agentx/master: request for variable (iso.188.8.131.52.184.108.40.206.1.3.101) >> >> First three OID contain 11 subid while the next one has 12 subid. > > Resulting error message from the subagent: >> agentx: Oversized Object ID > > The bug is fixed upstream for the 5.4 branch in 5.4.4. From the > upstream bug report this was also fixed in the 5.3 branch but I don't > know on what specific version. > > Could a CVE id be assigned? > Isnt this same as: https://bugzilla.redhat.com/show_bug.cgi?id=1038007 ? -- Huzaifa Sidhpurwala / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ