[Pkg-net-snmp-devel] Bug#516801: Fw: CVE-2008-6123 applies to snmpd in lucid (and sid)

Corey Wright undefined at pobox.com
Wed Jun 2 02:05:51 UTC 2010

the vulnerability seems to still exist in the source package.

i sent the attached email to the debian developers [1] nearly 48 hours ago
and it hasn't appeared in the pkg-net-snmp-devel archives, so i'm presuming
it got caught in a spam filter somewhere and instead hoping for better luck
filing it as a comment to bug #516801.

as the attached email states, sid's appears to be vulnerable
based on its snmplib/snmpUDPDomain.c and lack of applicable patches in

i don't know what the previous patch looked like, but the attached patch
should apply cleanly as it takes into account debian's/ubuntu's incorrect
"%hd" (vs upstream's "%hu").

if i overlooked something in my analysis (as i did not observe the bug in
the resulting binary as i did with ubuntu's version, but just examined the
source code), then please disregard this email.

thanks for packaging net-snmp (as i run it on my lenny installations
without any problems)!

undefined at pobox.com

[1] pkg-net-snmp-devel at lists.alioth.debian.org
[2] http://lists.alioth.debian.org/pipermail/pkg-net-snmp-devel/
-------------- next part --------------
An embedded message was scrubbed...
From: Corey Wright <undefined at pobox.com>
Subject: CVE-2008-6123 applies to snmpd in lucid (and sid)
Date: Mon, 31 May 2010 02:28:53 -0500
Size: 6721
URL: <http://lists.alioth.debian.org/pipermail/pkg-net-snmp-devel/attachments/20100601/3ac4b5ec/attachment.eml>

More information about the Pkg-net-snmp-devel mailing list