Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 358789 - <net-misc/mrouted-3.9.5: Multiple vulnerabilities
Summary: <net-misc/mrouted-3.9.5: Multiple vulnerabilities
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2011-03-14 04:28 UTC by Tim Sammut (RETIRED)
Modified: 2014-12-12 00:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-03-14 04:28:04 UTC

Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-03-14 04:30:36 UTC
(Sorry for the spam, ugh!)

Looking at the ChangeLog at $URL, I see two things that appear security-related.

Fixed in 3.9.3
 - Fix =NULL= pointer dereference in conf file parser.  Problem will arise for all
   interfaces that at one point might not have an address.

Fixed in 3.9.5
 - Ported from pimd after CVE-2011-0007: Insecure file creation in /var/tmp.
   "On USR1, pimd will write to /var/tmp/pimd.dump a dump of the multicast route
   table. Since /var/tmp is writable by any user, a user can create a symlink to any
   file he wants to destroy with the content of the multicast routing table."
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2011-04-21 14:01:45 UTC
Stumbled upon this.

Arch teams, please test and mark stable:
Target KEYWORDS="amd64 ppc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2011-04-21 18:20:07 UTC
amd64 ok
Comment 4 Thomas Kahle (RETIRED) gentoo-dev 2011-04-21 18:53:02 UTC
x86 stable
Comment 5 Brent Baude (RETIRED) gentoo-dev 2011-04-22 16:54:38 UTC
ppc done
Comment 6 Markos Chandras (RETIRED) gentoo-dev 2011-04-25 09:18:17 UTC
amd64 done
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-04-26 02:47:13 UTC
Thanks, everyone. GLSA Vote: Yes.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 21:52:56 UTC
Vote: YES. New GLSA request filed.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-10 20:13:44 UTC
Can one of our new scouts check if there is a CVE for this and request one if
there is none?
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 00:37:19 UTC
This issue was resolved and addressed in
 GLSA 201412-09 at
by GLSA coordinator Sean Amoss (ackle).