From $URL: 1) A privilege escalation flaw was found in radvd, due to a buffer overflow in the process_ra() function. ND_OPT_DNSSL_INFORMATION option parsing "label_len" was not checked for negative values, leading to a "suffix" buffer overflow which can lead to privilege escalation, at least if radvd is compiled without GCC's stack protection. If radvd is invoked without privilege separation (the -u option), this can lead to an escalation to root privileges. Note: Red Hat Enterprise Linux starts radvd by default with the unprivileged user. (CVE-2011-3601) 2) An arbitrary file overwrite flaw was found in radvd's set_interface_var() function, where it did not check the interface name (generated by the unprivileged user) and blindly overwrites a filename with a decimal value by the root process. If a local attacker could create symlinks pointing to arbitrary files on the system, they could overwrite the target file contents. If only radvd is compromised (e.g. no local access), the attacker may only overwrite files with specific names only (PROC_SYS_IP6_* from radvd's pathnames.h). (CVE-2011-3602) 3) The radvd daemon would not fail on privsep_init() errors, which could cause it to run with full root privileges when it should be running as an unprivileged user. (CVE-2011-3603) 4) A number of buffer overread flaws were found in radvd's process_ra() function due to numerous missed len() checks. This can lead to memory reads outside of the stack, resulting in a crash of radvd. (CVE-2011-3604) 5) A temporary denial of service flaw was found in radvd's process_rs() function, where it would call mdelay() on the same thread in which it handled all input. If ->UnicastOnly were set, an attacker could cause a flood with ND_ROUTER_SOLICIT and fill the input queue of the daemon. This would cause a brief outage of approximately MAX_RA_DELAY_TIME / 2 * sizeof_input_queue when handling new clients, where MAX_RA_DELAY_TIME is 500ms, leading to delays of more than a minute. Note: this is only the case in unicast-only mode; there is no denial of service in the (normal, default) anycast mode. (CVE-2011-3605) --- Some additional issues fixed in radvd 1.8.2 were determined to have no obvious security relevance.
@maintainers: Is there a timeframe for getting a fixed version in the tree?
Created attachment 290827 [details, diff] ebuild.patch I'm not radvd user, but the daemon starts as well. Tests are welcome from radvd users around.
Comment on attachment 290827 [details, diff] ebuild.patch Security updates are not the time to do ebuild cleanups.
+*radvd-1.8.2 (04 Nov 2011) + + 04 Nov 2011; Michael Weber <xmw@gentoo.org> +radvd-1.8.2.ebuild: + Version bump to address security issue bug 381895. +
Can I please fast stabilize this new and unaffected version 1.8.2, and remove the old ones?
(In reply to comment #5) > Can I please fast stabilize this new and unaffected version 1.8.2, and remove > the old ones? Thank you for the bump, lets do that. Arches, please test and mark stable: =net-misc/radvd-1.8.2 Target keywords : "amd64 arm hppa ppc sparc x86"
amd64 ok
ppc stable
amd64 done. Thanks Agostino
x86 stable, thanks!
arm stable
Stable for HPPA.
+ 10 Nov 2011; Michael Weber <xmw@gentoo.org> radvd-1.8.2.ebuild: + sparc stable (bug 385967) +
Ok, the new version is stabled, i've removed the affected versions from tree. I consider this issue done, but I could't discover any documentation about whiteboard stati to express this. + 10 Nov 2011; Michael Weber <xmw@gentoo.org> -radvd-1.6.ebuild, + -radvd-1.7.ebuild, -radvd-1.8.ebuild, -radvd-1.8.1.ebuild: + Remove security affected versions (bug 385967) +
Thanks folks, filed glsa request.
(In reply to comment #2) > Created attachment 290827 [details, diff] [details, diff] > ebuild.patch I updated the ebuild as part of bug 386113, thanks
This issue was resolved and addressed in GLSA 201111-08 at http://security.gentoo.org/glsa/glsa-201111-08.xml by GLSA coordinator Alex Legler (a3li).
CVE-2011-3605 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3605): The process_rs function in the router advertisement daemon (radvd) before 1.8.2, when UnicastOnly is enabled, allows remote attackers to cause a denial of service (temporary service hang) via a large number of ND_ROUTER_SOLICIT requests. CVE-2011-3604 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3604): The process_ra function in the router advertisement daemon (radvd) before 1.8.2 allows remote attackers to cause a denial of service (stack-based buffer over-read and crash) via unspecified vectors. CVE-2011-3601 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3601): Buffer overflow in the process_ra function in the router advertisement daemon (radvd) before 1.8.2 allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a negative value in a label_len value.
CVE-2011-3603 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3603): The router advertisement daemon (radvd) before 1.8.2 does not properly handle errors in the privsep_init function, which causes the radvd daemon to run as root and has an unspecified impact. CVE-2011-3602 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3602): Directory traversal vulnerability in device-linux.c in the router advertisement daemon (radvd) before 1.8.2 allows local users to overwrite arbitrary files, and remote attackers to overwrite certain files, via a .. (dot dot) in an interface name. NOTE: this can be leveraged with a symlink to overwrite arbitrary files.