Clarification on FreeBSD-SA-22:15.ping / CVE-2022-23093 ping(8) stack overflow

[Ed Maste]

We've seen many blog posts and news articles about this issue and
unfortunately most of them get the details wrong. So, to clarify:

- This issue affects only /sbin/ping, not kernel ICMP handling.
- The issue relies on receipt of malicious packet(s) while the ping
  utility is running (i.e., while pinging a host).
- ping(8) is setuid root, but drops privilege (to that of the user
  executing it) after opening sockets but before sending or receiving
  data.
- ping(8) runs in a Capsicum capability sandbox, such that even in the
  event of a compromise the attacker is quite limited (has no access to
  global namespaces, such as the filesystem).
- It is believed that exploitation is not possible due to the stack
  layout on affected platforms.

Re: FreeBSD Security Advisory FreeBSD-SA-22:15.ping

[Ed Maste]

On Thu, 1 Dec 2022 at 10:28, mike tancsa  wrote:
>
> My concern is the "evil server in the middle" ... Things like route
> highjacking are not that uncommon. I have a number of IoT devices out
> there I will need to patch, some still based on RELENG_11.

The bug was introduced after releng/11, so those ones won't be affected.