On Sun, Jan 07, 2007 at 11:19:30PM +0000, Jeroen Massar wrote:
> traceroute6.c
> 693 * Convert an ICMP "type" field to a printable string.
> 694 */
> 695 char * pr_type(unsigned char t)
> 696 {
> ...
> 705 static char *ttab2[] = {
> 706 "Echo Reply",
> 707 "Echo Request",
> 708 "Membership Query",
> 709 "Membership Report",
> 710 "Membership Reduction",
> 711 };
> ...
> 718 if (t >= 128 && t <= 132)
> 719 {
> 720 return (ttab2[t]);
> 721 }Yes, that is pretty stupid, and obviously very wrong. However, I see no form of exploit for this other than a denial of service. Denial of service of traceroute6 doesn't seem to be super critical. You describe this bug as a "remote root hole" in the subject of your mail. However, I fail to see any potential for code injection, and certainly not in a root context. traceroute6 has long since dropped root privileges by the time pr_type has been called. I've already committed a fix to my svn repository. I'll upload it soon for sid. It's probably no big deal to get it into etch. noah
signature.asc
Description: Digital signature
