Bug 1173453 (CVE-2019-20892)

Summary: VUL-0: CVE-2019-20892: net-snmp: double free in usm_free_usmStateReference function in snmplib/snmpusm.c via an SNMPv3 GetBulk request
Product: [Novell Products] SUSE Security Incidents Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED WORKSFORME QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/262310/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Wolfgang Frisch 2020-07-14 16:37:40 UTC
Reproducer:
net-snmp-create-v3-user -A testsha1234 -a SHA -X testaes1234 -x AES testuser
systemctl start snmpd
snmpwalk -v3 -l authPriv -u testuser -a SHA -A "testsha1234" -x AES -X "testaes1234" localhost sysDescr.0 -n crash

Unexpected result:
snmp daemon crashes (core-dump)

Expected result:
SNMPv2-MIB::sysDescr.0 = STRING: Linux localhost.localdomain 3.10.0-957.el7.x86_64 #1 SMP Thu Oct 4 20:48:51 UTC 2018 x86_64
Comment 2 Wolfgang Frisch 2020-07-14 16:47:03 UTC
SUSE:SLE-11-SP1:Update   net-snmp   Not affected [1]
SUSE:SLE-12-SP1:Update   net-snmp   Not affected [1]
SUSE:SLE-15:Update       net-snmp   Not affected [1]
SUSE:SLE-15-SP1:Update   net-snmp   Not affected [1]
SUSE:SLE-15-SP2:Update   net-snmp   Not affected [1]

[1] not reproducible
Comment 3 Wolfgang Frisch 2020-07-14 16:55:30 UTC
It appears the bug was introduced in 5.8 which we don't ship yet.