[Pkg-net-snmp-devel] Bug#963713: Bug#963713: net-snmp: CVE-2019-20892

Craig Small csmall at debian.org
Mon Jun 29 13:50:34 BST 2020


Hi All
  There's a few goes of the required patches but I think I've got them all.
There was the v3doublefree2.patch, a format patch and then the first git
reference in the tracker where they have re-arranged the free function so
it tracks the reference count.

The result does compile and build packages and it is not too terrible about
the lintian warnings, but  I haven't installed or tested it yet; that's a
job for tomorrow (which is only an hour away, but it will be much longer
than that). If anyone is keen in the meantime go ahead and see if it works
for you.

 - Craig


On Sun, 28 Jun 2020 at 22:30, Salvatore Bonaccorso <carnil at debian.org>
wrote:

> Hi Andreas,
>
> On Fri, Jun 26, 2020 at 06:31:44PM -0300, Andreas Hasenack wrote:
> > I believe it was introduced in 5.8. The previous version we had was 5.7.3
> > and we didn't reproduce it there.
>
> I can confirm that it is not reproducible with the buster version with
> the avalable reproducer, but I was still searching evidence via a code
> change/upstream commit where the issue was really introduced.
>
> If you find/found so, could you please update us as well with that
> informaation so we can sync up the security-tracker information.
>
> Thanks for your work!
>
> Regards,
> Salvatore
>
> _______________________________________________
> Pkg-net-snmp-devel mailing list
> Pkg-net-snmp-devel at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-net-snmp-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-net-snmp-devel/attachments/20200629/e622f8d0/attachment.html>


More information about the Pkg-net-snmp-devel mailing list