If you try to use traceroute with multiple -g arguments (said to be supported in the man page, too!), traceroute will die in a segmentation fault right in the beginning. Because traceroute is setuid root, this is of some concern..
Created attachment 938 [details] Patch against segfault w/ multiple source route gateways defined
Oh dear - what genuinely terrible code in traceroute Luckily it doesn't look too exploitable. The actual segfault is free() on a pointer which wasn't allocated with malloc(). Can I suggest another fix - remove savestr() and replace with strdup(). savestr() is only used by a few places. Worse, the concept of savestr() looks broken. The code comment says it is there to "reduce malloc() overhead incurred by strdup()". That's a horrendous case of a programmer inventing a problem. savestr() is only used a few times. As if a few malloc() calls make a discernible difference in a program like traceroute!! If only programmers would base their code on real-world measurements rather than guessing.... :-)
FYI, Bill
fixed in rawhide now.
About to include safety patch...
Created attachment 1247 [details] Fixes traceroute to drop privs even sooner
Oooh... this attachment thing is cool ;-) Patch tested to extend of compile and brief play. I'm not the world's most demanding traceroute user, though. I consider the patch well worth applying. The original "-g" flaw segfaults _before_ root privs were dropped - very dangerous! This patch makes privs get dropped immediately after obtaining the raw sockets at the top of main(). Any problems with the patch - let me know and they'll get fixed. Reopening the bug just to be a pain!
[ mainly to Chris ] By the way, a RH62 report #9541 has a link to similar, but perhaps a little more primitive privilege-dropping patch. If you haven't checked it out yet, you might want to take a look at that.
Thanks, and well spotted. The patch is very similar. Either patch would be a useful addition to Rawhide ;-)
*** Bug 9541 has been marked as a duplicate of this bug. ***
Fixed (by applying patch) in tarceroute-1.4a5-23. Thanks for the patch., comments, and pointers.
Fixed for Red Hat 6.x and 5.x as well.
*** Bug 18466 has been marked as a duplicate of this bug. ***