Debian Security Advisory

DSA-124-1 mtr -- buffer overflow

Date Reported:
26 Mar 2002
Affected Packages:
Security database references:
In the Bugtraq database (at SecurityFocus): BugTraq ID 4217.
In Mitre's CVE dictionary: CVE-2002-0497.
More information:

The authors of mtr released a new upstream version, noting a non-exploitable buffer overflow in their ChangeLog. Przemyslaw Frasunek, however, found an easy way to exploit this bug, which allows an attacker to gain access to the raw socket, which makes IP spoofing and other malicious network activity possible.

The problem has been fixed by the Debian maintainer in version 0.41-6 for the stable distribution of Debian by backporting the upstream fix and in version 0.48-1 for the testing/unstable distribution.

We recommend that you upgrade your mtr package immediately.

Fixed in:

Debian GNU/Linux 2.2 (potato)

Intel ia32:
Motorola 680x0:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.