Version in base suite: 5.9.3+dfsg-2

Base version: net-snmp_5.9.3+dfsg-2
Target version: net-snmp_5.9.3+dfsg-2+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/net-snmp/net-snmp_5.9.3+dfsg-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/n/net-snmp/net-snmp_5.9.3+dfsg-2+deb12u1.dsc

 changelog                        |    9 +++
 patches/linux_systemstats        |  114 +++++++++++++++++++++++++++++++++++++++
 patches/series                   |    2 
 patches/snmptrapd_trapoid_length |   27 +++++++++
 4 files changed, 152 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmppzxwx89v/net-snmp_5.9.3+dfsg-2.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmppzxwx89v/net-snmp_5.9.3+dfsg-2+deb12u1.dsc: no acceptable signature found
diff -Nru net-snmp-5.9.3+dfsg/debian/changelog net-snmp-5.9.3+dfsg/debian/changelog
--- net-snmp-5.9.3+dfsg/debian/changelog	2023-01-03 02:01:46.000000000 +0000
+++ net-snmp-5.9.3+dfsg/debian/changelog	2025-12-30 01:46:17.000000000 +0000
@@ -1,3 +1,12 @@
+net-snmp (5.9.3+dfsg-2+deb12u1) bookworm-security; urgency=high
+
+  * Security patch
+     - Fixed a critical vulnerability in snmptrapd triggered by a specially
+       crafted trap CVE-2025-68615 Closes: #1123861
+  * Update systemstats_linux to get expected header length Closes: #1069087
+
+ -- Craig Small <csmall@debian.org>  Tue, 30 Dec 2025 12:46:17 +1100
+
 net-snmp (5.9.3+dfsg-2) unstable; urgency=medium
 
   [ Helmut Grohne ]
diff -Nru net-snmp-5.9.3+dfsg/debian/patches/linux_systemstats net-snmp-5.9.3+dfsg/debian/patches/linux_systemstats
--- net-snmp-5.9.3+dfsg/debian/patches/linux_systemstats	1970-01-01 00:00:00.000000000 +0000
+++ net-snmp-5.9.3+dfsg/debian/patches/linux_systemstats	2025-12-30 01:46:17.000000000 +0000
@@ -0,0 +1,114 @@
+Description: Add Linux 6.7 compatibility parsing /proc/net/snmp 
+ Linux 6.7 adds a new OutTransmits field to Ip in /proc/net/snmp.
+ This breaks the hard-coded assumptions about the Ip line length.
+ Add compatibility to parse Linux 6.7 Ip header while keep support
+ for previous versions.
+Author: Philippe Troin <phil+github-commits@fifi.org>
+Origin: upstream, https://github.com/net-snmp/net-snmp/commit/49d60ba57f4b462df7dc5fd5b38b4425dab0982c
+Bug-Debian: https://bugs.debian.org/1069087
+Reviewed-by: Craig Small <csmall@debian.org>
+Last-Update: 2024-08-01
+--- a/agent/mibgroup/ip-mib/data_access/systemstats_linux.c
++++ b/agent/mibgroup/ip-mib/data_access/systemstats_linux.c
+@@ -36,7 +36,7 @@
+ }
+ 
+ /*
+-  /proc/net/snmp
++  /proc/net/snmp - Linux 6.6 and lower
+ 
+   Ip: Forwarding DefaultTTL InReceives InHdrErrors InAddrErrors ForwDatagrams InUnknownProtos InDiscards InDelivers OutRequests OutDiscards OutNoRoutes ReasmTimeout ReasmReqds ReasmOKs ReasmFails FragOKs FragFails FragCreates
+   Ip: 2 64 7083534 0 0 0 0 0 6860233 6548963 0 0 1 286623 63322 1 259920 0 0
+@@ -49,6 +49,26 @@
+   
+   Udp: InDatagrams NoPorts InErrors OutDatagrams
+   Udp: 1491094 122 0 1466178
++*
++  /proc/net/snmp - Linux 6.7 and higher
++
++  Ip: Forwarding DefaultTTL InReceives InHdrErrors InAddrErrors ForwDatagrams InUnknownProtos InDiscards InDelivers OutRequests OutDiscards OutNoRoutes ReasmTimeout ReasmReqds ReasmOKs ReasmFails FragOKs FragFails FragCreates OutTransmits
++  Ip: 1 64 50859058 496 0 37470604 0 0 20472980 7515791 1756 0 0 7264 3632 0 3548 0 7096 44961424
++
++  Icmp: InMsgs InErrors InCsumErrors InDestUnreachs InTimeExcds InParmProbs InSrcQuenchs InRedirects InEchos InEchoReps InTimestamps InTimestampReps InAddrMasks InAddrMaskReps OutMsgs OutErrors OutRateLimitGlobal OutRateLimitHost OutDestUnreachs OutTimeExcds OutParmProbs OutSrcQuenchs OutRedirects OutEchos OutEchoReps OutTimestamps OutTimestampReps OutAddrMasks OutAddrMaskReps
++  Icmp: 114447 2655 0 17589 0 0 0 0 66905 29953 0 0 0 0 143956 0 0 572 16610 484 0 0 0 59957 66905 0 0 0 0
++
++  IcmpMsg: InType0 InType3 InType8 OutType0 OutType3 OutType8 OutType11
++  IcmpMsg: 29953 17589 66905 66905 16610 59957 484
++
++  Tcp: RtoAlgorithm RtoMin RtoMax MaxConn ActiveOpens PassiveOpens AttemptFails EstabResets CurrEstab InSegs OutSegs RetransSegs InErrs OutRsts InCsumErrors
++  Tcp: 1 200 120000 -1 17744 13525 307 3783 6 18093137 9277788 3499 8 7442 0
++
++  Udp: InDatagrams NoPorts InErrors OutDatagrams RcvbufErrors SndbufErrors InCsumErrors IgnoredMulti MemErrors
++  Udp: 2257832 1422 0 2252835 0 0 0 84 0
++
++  UdpLite: InDatagrams NoPorts InErrors OutDatagrams RcvbufErrors SndbufErrors InCsumErrors IgnoredMulti MemErrors
++  UdpLite: 0 0 0 0 0 0 0 0 0
+ */
+ 
+ 
+@@ -101,10 +121,10 @@
+     FILE           *devin;
+     char            line[1024];
+     netsnmp_systemstats_entry *entry = NULL;
+-    int             scan_count;
++    int             scan_count, expected_scan_count;
+     char           *stats, *start = line;
+     int             len;
+-    unsigned long long scan_vals[19];
++    unsigned long long scan_vals[20];
+ 
+     DEBUGMSGTL(("access:systemstats:container:arch", "load v4 (flags %x)\n",
+                 load_flags));
+@@ -126,10 +146,17 @@
+      */
+     NETSNMP_IGNORE_RESULT(fgets(line, sizeof(line), devin));
+     len = strlen(line);
+-    if (224 != len) {
++    switch (len) {
++    case 224:
++	expected_scan_count = 19;
++	break;
++    case 237:
++	expected_scan_count = 20;
++	break;
++    default:
+         fclose(devin);
+         snmp_log(LOG_ERR, "systemstats_linux: unexpected header length in /proc/net/snmp."
+-                 " %d != 224\n", len);
++                 " %d not in { 224, 237 } \n", len);
+         return -4;
+     }
+ 
+@@ -178,20 +205,20 @@
+         memset(scan_vals, 0x0, sizeof(scan_vals));
+         scan_count = sscanf(stats,
+                             "%llu %llu %llu %llu %llu %llu %llu %llu %llu %llu"
+-                            "%llu %llu %llu %llu %llu %llu %llu %llu %llu",
++                            "%llu %llu %llu %llu %llu %llu %llu %llu %llu %llu",
+                             &scan_vals[0],&scan_vals[1],&scan_vals[2],
+                             &scan_vals[3],&scan_vals[4],&scan_vals[5],
+                             &scan_vals[6],&scan_vals[7],&scan_vals[8],
+                             &scan_vals[9],&scan_vals[10],&scan_vals[11],
+                             &scan_vals[12],&scan_vals[13],&scan_vals[14],
+                             &scan_vals[15],&scan_vals[16],&scan_vals[17],
+-                            &scan_vals[18]);
++                            &scan_vals[18],&scan_vals[19]);
+         DEBUGMSGTL(("access:systemstats", "  read %d values\n", scan_count));
+ 
+-        if(scan_count != 19) {
++        if(scan_count != expected_scan_count) {
+             snmp_log(LOG_ERR,
+                      "error scanning systemstats data (expected %d, got %d)\n",
+-                     19, scan_count);
++                     expected_scan_count, scan_count);
+             netsnmp_access_systemstats_entry_free(entry);
+             return -4;
+         }
+@@ -223,6 +250,7 @@
+         entry->stats.HCOutFragFails.high = scan_vals[17] >> 32;
+         entry->stats.HCOutFragCreates.low = scan_vals[18] & 0xffffffff;
+         entry->stats.HCOutFragCreates.high = scan_vals[18] >> 32;
++        /* entry->stats. = scan_vals[19]; / * OutTransmits */
+ 
+         entry->stats.columnAvail[IPSYSTEMSTATSTABLE_HCINRECEIVES] = 1;
+         entry->stats.columnAvail[IPSYSTEMSTATSTABLE_INHDRERRORS] = 1;
diff -Nru net-snmp-5.9.3+dfsg/debian/patches/series net-snmp-5.9.3+dfsg/debian/patches/series
--- net-snmp-5.9.3+dfsg/debian/patches/series	2023-01-03 02:01:46.000000000 +0000
+++ net-snmp-5.9.3+dfsg/debian/patches/series	2025-12-30 01:46:17.000000000 +0000
@@ -41,3 +41,5 @@
 makefile_trap_needs_agent
 includes_fix_national_encoding
 agent_set_null_varbind
+snmptrapd_trapoid_length
+linux_systemstats
diff -Nru net-snmp-5.9.3+dfsg/debian/patches/snmptrapd_trapoid_length net-snmp-5.9.3+dfsg/debian/patches/snmptrapd_trapoid_length
--- net-snmp-5.9.3+dfsg/debian/patches/snmptrapd_trapoid_length	1970-01-01 00:00:00.000000000 +0000
+++ net-snmp-5.9.3+dfsg/debian/patches/snmptrapd_trapoid_length	2025-12-30 01:46:17.000000000 +0000
@@ -0,0 +1,27 @@
+Description: snmptrapd: Fix out-of-bounds trapOid[] accesses
+ Fixes: https://issues.oss-fuzz.com/issues/457106694
+ Fixes: https://issues.oss-fuzz.com/issues/458668421
+ Fixes: https://issues.oss-fuzz.com/issues/458876071
+ -
+ Fixes: CVE-2025-68615
+Author: Bart Van Assche <bvanassche@acm.org>
+Origin: upstream, https://github.com/net-snmp/net-snmp/commit/4a201ac239d2cedff32a9205d389fdb523487878
+Bug-Debian: https://bugs.debian.org/1123861
+Applied-Upstream: 5.9.5
+Reviewed-by: Craig Small <csmall@debian.org>
+Last-Update: 2025-12-28
+--- a/apps/snmptrapd_handlers.c
++++ b/apps/snmptrapd_handlers.c
+@@ -1112,6 +1112,12 @@
+ 	     */
+             if (pdu->trap_type == SNMP_TRAP_ENTERPRISESPECIFIC) {
+                 trapOidLen = pdu->enterprise_length;
++                /*
++                 * Drop packets that would trigger an out-of-bounds trapOid[]
++                 * access.
++                 */
++                if (trapOidLen < 1 || trapOidLen > OID_LENGTH(trapOid) - 2)
++                    return 1;
+                 memcpy(trapOid, pdu->enterprise, sizeof(oid) * trapOidLen);
+                 if (trapOid[trapOidLen - 1] != 0) {
+                     trapOid[trapOidLen++] = 0;