Description of Problem: Possible traceroute6 security flaw, demo follows n.b. you need the ipv6 module loaded (luckily?) [chris@localhost chris]$ /usr/sbin/traceroute6 ::1 8 traceroute to ::1 (::1) from ::1, 30 hops max, 8 byte packets Segmentation fault How Reproducible: Every time Steps to Reproduce: As above. Additional Information: Looking at the code, this looks to be a heap mismanagement flaw - data is written over the end of a malloc chunk. May or may not be exploitable. Note that traceroute6 drops root privs and just retains a raw socket, so severity is limited. I will notify vendor-sec shortly and cc: Alexey (iputils maintainer). Note, there might be other issues, I caught this via a quick sanity scan since traceroute6 is a new suid-root binary in RH7.2beta3
This defect is considered SHOULD-FIX for Fairfax
Fixed in iputils-20001110-6. Soon to appear on rawhide. Read ya, Phil