From 3e080be02f5e05c46f5d3034144c3fa7a06d2ce099a528106e7807f9ba900892 Mon Sep 17 00:00:00 2001
From: Stephan Kulow <coolo@suse.com>
Date: Wed, 16 May 2012 10:26:12 +0000
Subject: [PATCH] Accepting request 120977 from net-snmp:factory

Add fix for bnc#759352 (CVE-2012-2141).

OBS-URL: https://build.opensuse.org/request/show/120977
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/net-snmp?expand=0&rev=57
---
 net-snmp-5.7.1-fix-array-index-error.patch | 30 ++++++++++++++++++++++
 net-snmp.changes                           |  6 +++++
 net-snmp.spec                              |  2 ++
 3 files changed, 38 insertions(+)
 create mode 100644 net-snmp-5.7.1-fix-array-index-error.patch

diff --git a/net-snmp-5.7.1-fix-array-index-error.patch b/net-snmp-5.7.1-fix-array-index-error.patch
new file mode 100644
index 0000000..6210749
--- /dev/null
+++ b/net-snmp-5.7.1-fix-array-index-error.patch
@@ -0,0 +1,30 @@
+commit 4c5633f1603e4bd03ed05c37d782ec8911759c47
+Author: Robert Story <rstory@freesnmp.com>
+Date:   Mon May 14 11:40:06 2012 -0400
+
+    NEWS: snmp: BUG: 3526549: CVE-2012-2141 Array index error leading to crash
+
+Index: net-snmp-5.7.1/agent/mibgroup/agent/extend.c
+===================================================================
+--- net-snmp-5.7.1.orig/agent/mibgroup/agent/extend.c
++++ net-snmp-5.7.1/agent/mibgroup/agent/extend.c
+@@ -1209,7 +1209,7 @@ _extend_find_entry( netsnmp_request_info
+              * ...and check the line requested is valid
+              */
+             line_idx = *table_info->indexes->next_variable->val.integer;
+-            if (eptr->numlines < line_idx)
++            if (line_idx < 1 || line_idx > eptr->numlines)
+                 return NULL;
+         }
+     }
+@@ -1380,6 +1380,10 @@ handle_nsExtendOutput2Table(netsnmp_mib_
+                  * Determine which line we've been asked for....
+                  */
+                 line_idx = *table_info->indexes->next_variable->val.integer;
++                if (line_idx < 1 || line_idx > extension->numlines) {
++                    netsnmp_set_request_error(reqinfo, request, SNMP_NOSUCHINSTANCE);
++                    continue;
++                }
+                 cp  = extension->lines[line_idx-1];
+ 
+                 /* 
diff --git a/net-snmp.changes b/net-snmp.changes
index 89b801b..0f0b76a 100644
--- a/net-snmp.changes
+++ b/net-snmp.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon May 14 17:39:17 UTC 2012 - lchiquitto@suse.com
+
+- fix array index error that could lead to a crash (CVE-2012-2141)
+  (bnc#759352)
+
 -------------------------------------------------------------------
 Thu Mar 29 22:14:55 UTC 2012 - lchiquitto@suse.com
 
diff --git a/net-snmp.spec b/net-snmp.spec
index 815a4a4..e466bfa 100644
--- a/net-snmp.spec
+++ b/net-snmp.spec
@@ -76,6 +76,7 @@ Patch20:        net-snmp-5.7.1-log-agentx-disconnections.patch
 Patch21:        net-snmp-5.7.1-more-robust-handling-of-agentx-errors.patch
 Patch22:        net-snmp-5.7.1-report-problems-with-setundo-processing.patch
 Patch23:        net-snmp-5.7.1-fix-snmpd-crashing-when-an-agentx-disconnects.patch
+Patch24:        net-snmp-5.7.1-fix-array-index-error.patch
 #
 Summary:        SNMP Daemon
 License:        BSD-3-Clause ; MIT
@@ -237,6 +238,7 @@ Authors:
 %patch21 -p1
 %patch22 -p1
 %patch23 -p1
+%patch24 -p1
 
 %build
 MIBS="misc/ipfwacc ucd-snmp/diskio etherlike-mib rmon-mib velocity smux \