If you try to use traceroute with multiple -g arguments (said to be
supported in the man page, too!), traceroute will die in a segmentation
fault right in the beginning.
Because traceroute is setuid root, this is of some concern..
Created attachment 938 [details]
Patch against segfault w/ multiple source route gateways defined
Oh dear - what genuinely terrible code in traceroute
Luckily it doesn't look too exploitable. The actual segfault is free() on a
pointer which wasn't allocated with malloc().
Can I suggest another fix - remove savestr() and replace with strdup().
savestr() is only used by a few places.
Worse, the concept of savestr() looks broken. The code comment says it is there
to "reduce malloc() overhead incurred by strdup()". That's a horrendous case of
a programmer inventing a problem. savestr() is only used a few times. As if a
few malloc() calls make a discernible difference in a program like traceroute!!
If only programmers would base their code on real-world measurements rather than
fixed in rawhide now.
About to include safety patch...
Created attachment 1247 [details]
Fixes traceroute to drop privs even sooner
Oooh... this attachment thing is cool ;-)
Patch tested to extend of compile and brief play. I'm not the world's most
demanding traceroute user, though.
I consider the patch well worth applying. The original "-g" flaw segfaults
_before_ root privs were dropped - very dangerous! This patch makes privs get
dropped immediately after obtaining the raw sockets at the top of main().
Any problems with the patch - let me know and they'll get fixed. Reopening the
bug just to be a pain!
[ mainly to Chris ]
By the way, a RH62 report #9541 has a link to similar, but perhaps a little more
primitive privilege-dropping patch. If you haven't checked it out yet, you
might want to take a look at that.
Thanks, and well spotted. The patch is very similar. Either patch would be a
useful addition to Rawhide ;-)
*** Bug 9541 has been marked as a duplicate of this bug. ***
Fixed (by applying patch) in tarceroute-1.4a5-23. Thanks for the patch.,
comments, and pointers.
Fixed for Red Hat 6.x and 5.x as well.
*** Bug 18466 has been marked as a duplicate of this bug. ***