From Vlad902: I've found that a DoS vulnerability exists in the netkit-rwhod package. rwhod starts two processes, one to listen for connections and another to broadcast messages. It is possible to remotely crash the listener; it is not possible to exploit this vulnerability to execute arbitary code. This vulnerability only occurs on little endian computers because rwhod trusts external input. The anomaly exists in the following code (rwhod.c): cc = recvfrom(sk, (char *)&wd, sizeof(struct whod), 0, (struct sockaddr *)&from, &len); if (cc <= 0) { if (cc < 0 && errno != EINTR) syslog(LOG_WARNING, "recv: %m"); continue; } ... Some checks here ... #if ENDIAN != BIG_ENDIAN { int i, n = (cc - WHDRSIZE)/sizeof(struct whoent); struct whoent *we; /* undo header byte swapping before writing to file */ wd.wd_sendtime = ntohl(wd.wd_sendtime); for (i = 0; i < 3; i++) wd.wd_loadav[i] = ntohl(wd.wd_loadav[i]); wd.wd_boottime = ntohl(wd.wd_boottime); we = wd.wd_we; for (i = 0; i < n; i++) { we->we_idle = ntohl(we->we_idle); we->we_utmp.out_time = ntohl(we->we_utmp.out_time); we++; } } #endif rwhod trusts that the other host sent a packet that is at least of size WHDRSIZE, otherwise the integer will roll over to a negative number, then when the division occurs it will become a very large positive integer causing the second for loop to loop until it reaches the end of the stack. When it reaches the end of the stack it will fault and cause an effective DoS on the listener. A simple "exploit" for this vulnerability would be to send a valid packet of size WHDRSIZE-1. This would cause the receiver to not function any longer. A simple fix for this vulnerability would be to add a check on the 'cc' variable directly after the recvfrom() call (rwhod.c:253). ===================================================================== diff -u netkit-rwho-0.17/rwhod/rwhod.c netkit-rwho-0.17/rwhod/rwhod.c --- netkit-rwho-0.17/rwhod/rwhod.c +++ netkit-rwho-0.17/rwhod/rwhod.c @@ -314,6 +314,8 @@ syslog(LOG_WARNING, "recv: %m"); continue; } + if (cc < WHDRSIZE) + continue; if (from.sin_port != sp->s_port) { syslog(LOG_WARNING, "%d: bad from port", ntohs(from.sin_port)); ====================================================================
Attached patch applies to our source : patching file netkit-rwho-0.17/rwhod/rwhod.c Hunk #1 succeeded at 258 (offset -56 lines). Waiting for a disclosure date.
Apparently public and patched by SuSE (see URL) solar/vapier: this is noherd so you'll probably have to patch it on security behalf.
added the proposed fix along with a syslog(warning) when such a condition is met marked stable for all arches who care, 0.17-r1 now in portage
GLSA vote... I vote no. Who cares about rwho anyway ?
I vote for no GLSA as well.
