On Mon, 12 Dec 2022, Ed Maste wrote:
We've seen many blog posts and news articles about this issue and unfortunately most of them get the details wrong. So, to clarify: - This issue affects only /sbin/ping, not kernel ICMP handling. - The issue relies on receipt of malicious packet(s) while the ping utility is running (i.e., while pinging a host). - ping(8) is setuid root, but drops privilege (to that of the user executing it) after opening sockets but before sending or receiving data. - ping(8) runs in a Capsicum capability sandbox, such that even in the event of a compromise the attacker is quite limited (has no access to global namespaces, such as the filesystem). - It is believed that exploitation is not possible due to the stack layout on affected platforms.
Thanks for the detailed summation. Ted
