fix CVE-2020-15862

CVE-2020-15862.patch

@@ -0,0 +1,84 @@
+From 77f6c60f57dba0aaea5d8ef1dd94bcd0c8e6d205 Mon Sep 17 00:00:00 2001
+From: Wes Hardaker <opensource@hardakers.net>
+Date: Thu, 23 Jul 2020 16:17:27 -0700
+Subject: [PATCH] make the extend mib read-only by default
+
+---
+ agent/mibgroup/agent/extend.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/agent/mibgroup/agent/extend.c b/agent/mibgroup/agent/extend.c
+index 5f8cedc..7bd2314 100644
+--- a/agent/mibgroup/agent/extend.c
++++ b/agent/mibgroup/agent/extend.c
+@@ -16,6 +16,13 @@
+ #define SHELLCOMMAND 3
+ #endif
+ 
++/*  This mib is potentially dangerous to turn on by default, since it
++ *  allows arbitrary commands to be set by anyone with SNMP WRITE
++ *  access to the MIB table.  If all of your users are "root" level
++ *  users, then it may be safe to turn on. */
++#define ENABLE_EXTEND_WRITE_ACCESS 0
++
++
+ netsnmp_feature_require(extract_table_row_data)
+ netsnmp_feature_require(table_data_delete_table)
+ #ifndef NETSNMP_NO_WRITE_SUPPORT
+@@ -742,7 +749,7 @@ handle_nsExtendConfigTable(netsnmp_mib_handler          *handler,
+          *
+          **********/
+ 
+-#ifndef NETSNMP_NO_WRITE_SUPPORT
++#if !defined(NETSNMP_NO_WRITE_SUPPORT) && ENABLE_EXTEND_WRITE_ACCESS
+         case MODE_SET_RESERVE1:
+             /*
+              * Validate the new assignments
+@@ -1068,7 +1075,7 @@ handle_nsExtendConfigTable(netsnmp_mib_handler          *handler,
+                 }
+             }
+             break;
+-#endif /* !NETSNMP_NO_WRITE_SUPPORT */ 
++#endif /* !NETSNMP_NO_WRITE_SUPPORT and ENABLE_EXTEND_WRITE_ACCESS */
+ 
+         default:
+             netsnmp_set_request_error(reqinfo, request, SNMP_ERR_GENERR);
+@@ -1076,7 +1083,7 @@ handle_nsExtendConfigTable(netsnmp_mib_handler          *handler,
+         }
+     }
+ 
+-#ifndef NETSNMP_NO_WRITE_SUPPORT
++#if !defined(NETSNMP_NO_WRITE_SUPPORT) && ENABLE_EXTEND_WRITE_ACCESS
+     /*
+      * If we're marking a given row as active,
+      *  then we need to check that it's ready.
+@@ -1101,7 +1108,7 @@ handle_nsExtendConfigTable(netsnmp_mib_handler          *handler,
+             }
+         }
+     }
+-#endif /* !NETSNMP_NO_WRITE_SUPPORT */
++#endif /* !NETSNMP_NO_WRITE_SUPPORT && ENABLE_EXTEND_WRITE_ACCESS */
+     
+     return SNMP_ERR_NOERROR;
+ }
+@@ -1590,7 +1597,7 @@ fixExec2Error(int action,
+     idx = name[name_len-1] -1;
+     exten = &compatability_entries[ idx ];
+ 
+-#ifndef NETSNMP_NO_WRITE_SUPPORT
++#if !defined(NETSNMP_NO_WRITE_SUPPORT) && ENABLE_EXTEND_WRITE_ACCESS
+     switch (action) {
+     case MODE_SET_RESERVE1:
+         if (var_val_type != ASN_INTEGER) {
+@@ -1611,7 +1618,7 @@ fixExec2Error(int action,
+     case MODE_SET_COMMIT:
+         netsnmp_cache_check_and_reload( exten->efix_entry->cache );
+     }
+-#endif /* !NETSNMP_NO_WRITE_SUPPORT */
++#endif /* !NETSNMP_NO_WRITE_SUPPORT && ENABLE_EXTEND_WRITE_ACCESS */
+     return SNMP_ERR_NOERROR;
+ }
+ #endif /* USING_UCD_SNMP_EXTENSIBLE_MODULE */
+-- 
+2.23.0
+

net-snmp.spec

@@ -3,7 +3,7 @@
 
 Name:            net-snmp
 Version:         5.8
-Release:         11
+Release:         12
 Epoch:           1
 Summary:         SNMP Daemon
 License:         BSD
@@ -42,6 +42,7 @@ Patch18:         CVE-2019-20892-3.patch
 Patch19:         CVE-2019-20892-4.patch
 Patch20:         CVE-2019-20892-5.patch
 Patch21:         CVE-2019-20892-6.patch
+Patch22:         CVE-2020-15862.patch
 
 %{?systemd_requires}
 BuildRequires:   systemd gcc openssl-devel bzip2-devel elfutils-devel libselinux-devel
@@ -321,6 +322,12 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test
 %{_mandir}/man1/fixproc*
 
 %changelog
+* Thu Oct 08 2020 wangxiaopeng <wangxiaopeng7@huawei.com> - 5.8-12
+- Type:cves
+- ID: CVE-2020-15862
+- SUG:NA
+- DESC: Fix  CVE-2020-15862
+
 * Tue Sep 01 2020 yuboyun <yuboyun@huawei.com> - 5.8-11
 - Type:NA
 - ID:NA