Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 358789

Summary: <net-misc/mrouted-3.9.5: Multiple vulnerabilities
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: alexanderyt, jer
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Tim Sammut (RETIRED) gentoo-dev 2011-03-14 04:28:04 UTC

Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-03-14 04:30:36 UTC
(Sorry for the spam, ugh!)

Looking at the ChangeLog at $URL, I see two things that appear security-related.

Fixed in 3.9.3
 - Fix =NULL= pointer dereference in conf file parser.  Problem will arise for all
   interfaces that at one point might not have an address.

Fixed in 3.9.5
 - Ported from pimd after CVE-2011-0007: Insecure file creation in /var/tmp.
   "On USR1, pimd will write to /var/tmp/pimd.dump a dump of the multicast route
   table. Since /var/tmp is writable by any user, a user can create a symlink to any
   file he wants to destroy with the content of the multicast routing table."
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2011-04-21 14:01:45 UTC
Stumbled upon this.

Arch teams, please test and mark stable:
Target KEYWORDS="amd64 ppc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2011-04-21 18:20:07 UTC
amd64 ok
Comment 4 Thomas Kahle (RETIRED) gentoo-dev 2011-04-21 18:53:02 UTC
x86 stable
Comment 5 Brent Baude (RETIRED) gentoo-dev 2011-04-22 16:54:38 UTC
ppc done
Comment 6 Markos Chandras (RETIRED) gentoo-dev 2011-04-25 09:18:17 UTC
amd64 done
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-04-26 02:47:13 UTC
Thanks, everyone. GLSA Vote: Yes.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 21:52:56 UTC
Vote: YES. New GLSA request filed.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-10 20:13:44 UTC
Can one of our new scouts check if there is a CVE for this and request one if
there is none?
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 00:37:19 UTC
This issue was resolved and addressed in
 GLSA 201412-09 at
by GLSA coordinator Sean Amoss (ackle).