Debian Security Advisory
DSA-2323-1 radvd -- several vulnerabilities
- Date Reported:
- 26 Oct 2011
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 644614.
In Mitre's CVE dictionary: CVE-2011-3602, CVE-2011-3604, CVE-2011-3605.
- More information:
Multiple security issues were discovered by Vasiliy Kulikov in radvd, an IPv6 Router Advertisement daemon:
set_interface_var() function doesn't check the interface name, which is chosen by an unprivileged user. This could lead to an arbitrary file overwrite if the attacker has local access, or specific files overwrites otherwise.
process_ra() function lacks multiple buffer length checks which could lead to memory reads outside the stack, causing a crash of the daemon.
process_rs() function calls mdelay() (a function to wait for a defined time) unconditionnally when running in unicast-only mode. As this call is in the main thread, that means all request processing is delayed (for a time up to MAX_RA_DELAY_TIME, 500 ms by default). An attacker could flood the daemon with router solicitations in order to fill the input queue, causing a temporary denial of service (processing would be stopped during all the mdelay() calls).
Note: upstream and Debian default is to use anycast mode.
For the oldstable distribution (lenny), this problem has been fixed in version 1:1.1-3.1.
For the stable distribution (squeeze), this problem has been fixed in version 1:1.6-1.1.
For the testing distribution (wheezy), this problem has been fixed in version 1:1.8-1.2.
For the unstable distribution (sid), this problem has been fixed in version 1:1.8-1.2.
We recommend that you upgrade your radvd packages.