Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 385967 (CVE-2011-3601)

Summary: <net-misc/radvd-1.8.2: Multiple vulnerabilities (CVE-2011-{3601,3602,3603,3604,3605})
Product: Gentoo Security Reporter: Sean Amoss (RETIRED) <ackle>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: ago, wschlich, xmw
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2011/10/06/3
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
ebuild.patch none

Description Sean Amoss (RETIRED) gentoo-dev Security 2011-10-07 01:12:01 UTC 
From $URL:

1) A privilege escalation flaw was found in radvd, due to a buffer overflow
in the process_ra() function.  ND_OPT_DNSSL_INFORMATION option parsing
"label_len" was not checked for negative values, leading to a "suffix"
buffer overflow which can lead to privilege escalation, at least if
radvd is compiled without GCC's stack protection. If radvd is invoked
without privilege separation (the -u option), this can lead to an
escalation to root privileges.  Note: Red Hat Enterprise Linux starts
radvd by default with the unprivileged user. (CVE-2011-3601)

2) An arbitrary file overwrite flaw was found in radvd's
set_interface_var() function, where it did not check the interface name
(generated by the unprivileged user) and blindly overwrites a filename
with a decimal value by the root process.  If a local attacker could
create symlinks pointing to arbitrary files on the system, they could
overwrite the target file contents.  If only radvd is compromised (e.g.
no local access), the attacker may only overwrite files with specific
names only (PROC_SYS_IP6_* from radvd's pathnames.h). (CVE-2011-3602)

3) The radvd daemon would not fail on privsep_init() errors, which could
cause it to run with full root privileges when it should be running as
an unprivileged user. (CVE-2011-3603)

4) A number of buffer overread flaws were found in radvd's process_ra()
function due to numerous missed len() checks. This can lead to memory
reads outside of the stack, resulting in a crash of radvd.
(CVE-2011-3604)

5) A temporary denial of service flaw was found in radvd's process_rs()
function, where it would call mdelay() on the same thread in which it
handled all input.  If ->UnicastOnly were set, an attacker could cause a
flood with ND_ROUTER_SOLICIT and fill the input queue of the daemon.
This would cause a brief outage of approximately MAX_RA_DELAY_TIME / 2 *
sizeof_input_queue when handling new clients, where MAX_RA_DELAY_TIME is
500ms, leading to delays of more than a minute.  Note: this is only the
case in unicast-only mode; there is no denial of service in the (normal,
default) anycast mode. (CVE-2011-3605)
---

Some additional issues fixed in radvd 1.8.2 were determined to have no
obvious security relevance.
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2011-10-25 20:59:31 UTC 
@maintainers: Is there a timeframe for getting a fixed version in the tree?
Comment 2 Agostino Sarubbo gentoo-dev 2011-10-25 21:16:35 UTC 
Created attachment 290827 [details, diff]
ebuild.patch

I'm not radvd user, but the daemon starts as well. Tests are welcome from radvd users around.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-10-26 15:52:43 UTC 
Comment on attachment 290827 [details, diff]
ebuild.patch

Security updates are not the time to do ebuild cleanups.
Comment 4 Michael Weber (RETIRED) gentoo-dev 2011-11-04 16:31:21 UTC 
+*radvd-1.8.2 (04 Nov 2011)
+
+  04 Nov 2011; Michael Weber <xmw@gentoo.org> +radvd-1.8.2.ebuild:
+  Version bump to address security issue bug 381895.
+
Comment 5 Michael Weber (RETIRED) gentoo-dev 2011-11-04 16:33:03 UTC 
Can I please fast stabilize this new and unaffected version 1.8.2, and remove the old ones?
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2011-11-04 16:35:48 UTC 
(In reply to comment #5)
> Can I please fast stabilize this new and unaffected version 1.8.2, and remove
> the old ones?

Thank you for the bump, lets do that.

Arches, please test and mark stable:
=net-misc/radvd-1.8.2
Target keywords : "amd64 arm hppa ppc sparc x86"
Comment 7 Agostino Sarubbo gentoo-dev 2011-11-04 20:11:00 UTC 
amd64 ok
Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-11-05 20:15:26 UTC 
ppc stable
Comment 9 Markos Chandras (RETIRED) gentoo-dev 2011-11-06 00:25:52 UTC 
amd64 done. Thanks Agostino
Comment 10 Andreas Schürch gentoo-dev 2011-11-06 14:17:00 UTC 
x86 stable, thanks!
Comment 11 Markus Meier gentoo-dev 2011-11-06 16:53:43 UTC 
arm stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2011-11-07 12:43:53 UTC 
Stable for HPPA.
Comment 13 Michael Weber (RETIRED) gentoo-dev 2011-11-10 08:22:48 UTC 
+  10 Nov 2011; Michael Weber <xmw@gentoo.org> radvd-1.8.2.ebuild:
+  sparc stable (bug 385967)
+
Comment 14 Michael Weber (RETIRED) gentoo-dev 2011-11-10 08:28:02 UTC 
Ok, the new version is stabled, i've removed the affected versions from tree.
I consider this issue done, but I could't discover any documentation about whiteboard stati to express this.

+  10 Nov 2011; Michael Weber <xmw@gentoo.org> -radvd-1.6.ebuild,
+  -radvd-1.7.ebuild, -radvd-1.8.ebuild, -radvd-1.8.1.ebuild:
+  Remove security affected versions (bug 385967)
+
Comment 15 Agostino Sarubbo gentoo-dev 2011-11-10 10:43:58 UTC 
Thanks folks, filed glsa request.
Comment 16 Michael Weber (RETIRED) gentoo-dev 2011-11-14 02:22:17 UTC 
(In reply to comment #2)
> Created attachment 290827 [details, diff] [details, diff]
> ebuild.patch

I updated the ebuild as part of bug 386113, thanks
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2011-11-20 18:16:57 UTC 
This issue was resolved and addressed in
 GLSA 201111-08 at http://security.gentoo.org/glsa/glsa-201111-08.xml
by GLSA coordinator Alex Legler (a3li).
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2014-04-10 21:23:33 UTC 
CVE-2011-3605 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3605):
  The process_rs function in the router advertisement daemon (radvd) before
  1.8.2, when UnicastOnly is enabled, allows remote attackers to cause a
  denial of service (temporary service hang) via a large number of
  ND_ROUTER_SOLICIT requests.

CVE-2011-3604 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3604):
  The process_ra function in the router advertisement daemon (radvd) before
  1.8.2 allows remote attackers to cause a denial of service (stack-based
  buffer over-read and crash) via unspecified vectors.

CVE-2011-3601 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3601):
  Buffer overflow in the process_ra function in the router advertisement
  daemon (radvd) before 1.8.2 allows remote attackers to execute arbitrary
  code or cause a denial of service (crash) via a negative value in a
  label_len value.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2014-04-28 20:10:54 UTC 
CVE-2011-3603 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3603):
  The router advertisement daemon (radvd) before 1.8.2 does not properly
  handle errors in the privsep_init function, which causes the radvd daemon to
  run as root and has an unspecified impact.

CVE-2011-3602 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3602):
  Directory traversal vulnerability in device-linux.c in the router
  advertisement daemon (radvd) before 1.8.2 allows local users to overwrite
  arbitrary files, and remote attackers to overwrite certain files, via a ..
  (dot dot) in an interface name.  NOTE: this can be leveraged with a symlink
  to overwrite arbitrary files.