On Sun, Jan 07, 2007 at 11:19:30PM +0000, Jeroen Massar wrote: > traceroute6.c > 693 * Convert an ICMP "type" field to a printable string. > 694 */ > 695 char * pr_type(unsigned char t) > 696 { > ... > 705 static char *ttab2[] = { > 706 "Echo Reply", > 707 "Echo Request", > 708 "Membership Query", > 709 "Membership Report", > 710 "Membership Reduction", > 711 }; > ... > 718 if (t >= 128 && t <= 132) > 719 { > 720 return (ttab2[t]); > 721 }
Yes, that is pretty stupid, and obviously very wrong. However, I see no form of exploit for this other than a denial of service. Denial of service of traceroute6 doesn't seem to be super critical. You describe this bug as a "remote root hole" in the subject of your mail. However, I fail to see any potential for code injection, and certainly not in a root context. traceroute6 has long since dropped root privileges by the time pr_type has been called. I've already committed a fix to my svn repository. I'll upload it soon for sid. It's probably no big deal to get it into etch. noah
signature.asc
Description: Digital signature