Bug 129386 - [PATCH] CVE-2002-0497 at mtr possible, but not per default
Summary: [PATCH] CVE-2002-0497 at mtr possible, but not per default
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: mtr
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Phil Knirsch
QA Contact:
URL: http://www.cve.mitre.org/cgi-bin/cven...
Whiteboard:
Keywords: Patch
Depends On:
Blocks: 134540
TreeView+ depends on / blocked
 
Reported: 2004-08-07 14:55 UTC by Robert Scheck
Modified: 2015-03-05 01:14 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2004-10-06 14:45:43 UTC


Attachments (Terms of Use)
mtr-0.54-CVE-2002-0497.patch (12.51 KB, patch)
2004-08-07 14:56 UTC, Robert Scheck
no flags Details | Diff

Description Robert Scheck 2004-08-07 14:55:31 UTC
Description of problem:
mtr is vulnerable against CVE-2002-0497, but not per default, only 
if mtr has 4755/setuid permissions, what is not the Fedora Core 
default (that's 0755). But we should also apply that patch, because 
maybe admins/users change the permissions of mtr to setuid and then, 
mtr is vulnerable for CVE-2002-0497.

CVE-2002-0497: Buffer overflow in mtr 0.46 and earlier, when installed setuid root, allows local users to access a raw socket via 
a long MTR_OPTIONS environment variable. 

Version-Release number of selected component (if applicable):
mtr-0.54-7

Actual results:
I updated a initial patch by SuSE, which is also currently used there
and at PLD.

Expected results:
Use of the patch ;-)

Comment 1 Robert Scheck 2004-08-07 14:56:10 UTC
Created attachment 102498 [details]
mtr-0.54-CVE-2002-0497.patch

Comment 2 Daniel Roesen 2004-10-04 13:15:10 UTC
Well, most users will chmod u+s as like with ping and traceroute,
normal users want to use it. :-)

Please apply the patch and make mtr setuid as ping and traceroute...

Comment 3 Robert Scheck 2004-10-05 07:24:56 UTC
Agree with you Daniel, chmod u+s for mtr would be fine, I dunno why it 
was removed....

Comment 4 Phil Knirsch 2004-10-06 14:45:43 UTC
It is a general rule that we only set suid for a very limited set of
binaries and only if absolutely required and necessary.

And as this example clearly shows, suid is dangerous. ;-)

I'll still apply this patch at least for our development version for
FC3, but suid change won't be done, sorry.

Read ya, Phil


Note You need to log in before you can comment on or make changes to this bug.