Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2357 to the following vulnerability: Stack-based buffer overflow in the split_redraw function in split.c in mtr before 0.73, when invoked with the -p (aka --split) option, allows remote attackers to execute arbitrary code via a crafted DNS PTR record. NOTE: it could be argued that this is a vulnerability in the ns_name_ntop function in resolv/ns_name.c in glibc and the proper fix should be in glibc; if so, then this should not be treated as a vulnerability in mtr. Refences: http://www.securityfocus.com/archive/1/archive/1/492260/100/0/threaded http://seclists.org/fulldisclosure/2008/May/0488.html http://marc.info/?l=bugtraq&m=121129521624280&w=4 http://www.openwall.com/lists/oss-security/2008/05/20/5 ftp://ftp.bitwizard.nl/mtr/mtr-0.73.diff http://secunia.com/advisories/30312
This issue does not affect mtr packages as shipped in Red Hat Enterprise Linux 4 and 5 and all current Fedora versions. The problem was resolved in the patch for other security issue -- CVE-2002-0497 -- mtr-0.XX-CVE-2002-0497.patch, which replaces problematic sprintf with snprintf. Version of mtr as shipped in Red Hat Enterprise Linux 2.1 and 3 are affected. http://cvs.fedoraproject.org/viewcvs/rpms/mtr/F-7/mtr-0.69-CVE-2002-0497.patch This issue can only be exploited when an attacker can convince victim to use mtr to trace path to or via the IP, for which an attacker controls PTR DNS records. Additionally, victim must run mtr in "split mode" by providing -p or --split command line options. The purpose of the split mode is to support GUI mtr front-ends, that would only display information gathered by mtr. However, there is probably no front-end program using this mtr feature, so it's unlikely mtr is started in split mode without explicit user request.
mtr in Red Hat Enterprise Linux and Fedora is not installed with setuid bit set, so this issue can not be used for local privilege escalation on affected versions.
I went through versions of mtr and I confirm that only RHEL {2.1, 3} are affected.