Multiple security issues were discovered by Vasiliy Kulikov in radvd, an IPv6 Router Advertisement daemon: CVE-2011-3602 set_interface_var() function doesn't check the interface name, which is chosen by an unprivileged user. This could lead to an arbitrary file overwrite if the attacker has local access, or specific files overwrites otherwise. CVE-2011-3604 process_ra() function lacks multiple buffer length checks which could lead to memory reads outside the stack, causing a crash of the daemon. CVE-2011-3605 process_rs() function calls mdelay() (a function to wait for a defined time) unconditionnally when running in unicast-only mode. As this call is in the main thread, that means all request processing is delayed (for a time up to MAX_RA_DELAY_TIME, 500 ms by default). An attacker could flood the daemon with router solicitations in order to fill the input queue, causing a temporary denial of service (processing would be stopped during all the mdelay() calls). Note: upstream and Debian default is to use anycast mode. For the oldstable distribution (lenny), this problem has been fixed in version 1:1.1-3.1. For the stable distribution (squeeze), this problem has been fixed in version 1:1.6-1.1. For the testing distribution (wheezy), this problem has been fixed in version 1:1.8-1.2. For the unstable distribution (sid), this problem has been fixed in version 1:1.8-1.2. We recommend that you upgrade your radvd packages.
Multiple security issues were discovered by Vasiliy Kulikov in radvd, an IPv6 Router Advertisement daemon:
set_interface_var() function doesn't check the interface name, which is chosen by an unprivileged user. This could lead to an arbitrary file overwrite if the attacker has local access, or specific files overwrites otherwise.
process_ra() function lacks multiple buffer length checks which could lead to memory reads outside the stack, causing a crash of the daemon.
process_rs() function calls mdelay() (a function to wait for a defined
time) unconditionnally when running in unicast-only mode. As this call
is in the main thread, that means all request processing is delayed (for
a time up to MAX_RA_DELAY_TIME, 500 ms by default). An attacker could
flood the daemon with router solicitations in order to fill the input
queue, causing a temporary denial of service (processing would be
stopped during all the mdelay() calls).
Note: upstream and Debian default is to use anycast mode.
For the oldstable distribution (lenny), this problem has been fixed in version 1:1.1-3.1.
For the stable distribution (squeeze), this problem has been fixed in version 1:1.6-1.1.
For the testing distribution (wheezy), this problem has been fixed in version 1:1.8-1.2.
For the unstable distribution (sid), this problem has been fixed in version 1:1.8-1.2.
We recommend that you upgrade your radvd packages.
Vulmon