Created attachment 938 [details]
Patch against segfault w/ multiple source route gateways defined

Oh dear - what genuinely terrible code in traceroute
Luckily it doesn't look too exploitable. The actual segfault is free() on a
pointer which wasn't allocated with malloc().
Can I suggest another fix - remove savestr() and replace with strdup().
savestr() is only used by a few places.
Worse, the concept of savestr() looks broken. The code comment says it is there
to "reduce malloc() overhead incurred by strdup()". That's a horrendous case of
a programmer inventing a problem. savestr() is only used a few times. As if a
few malloc() calls make a discernible difference in a program like traceroute!!
If only programmers would base their code on real-world measurements rather than
guessing.... :-)

FYI, Bill

fixed in rawhide now.

About to include safety patch...

Created attachment 1247 [details]
Fixes traceroute to drop privs even sooner

Oooh... this attachment thing is cool ;-)
Patch tested to extend of compile and brief play. I'm not the world's most
demanding traceroute user, though.
I consider the patch well worth applying. The original "-g" flaw segfaults
_before_ root privs were dropped - very dangerous! This patch makes privs get
dropped immediately after obtaining the raw sockets at the top of main().
Any problems with the patch - let me know and they'll get fixed. Reopening the
bug just to be a pain!

[ mainly to Chris ]

By the way, a RH62 report #9541 has a link to similar, but perhaps a little more
primitive privilege-dropping patch.  If you haven't checked it out yet, you
might want to take a look at that.

Thanks, and well spotted. The patch is very similar. Either patch would be a
useful addition to Rawhide ;-)

*** Bug 9541 has been marked as a duplicate of this bug. ***

Fixed (by applying patch) in tarceroute-1.4a5-23. Thanks for the patch.,
comments, and pointers.

Fixed for Red Hat 6.x and 5.x as well.

*** Bug 18466 has been marked as a duplicate of this bug. ***