A privilege escalation flaw was found in radvd, due to a buffer overflow in the process_ra() function. ND_OPT_DNSSL_INFORMATION option parsing "label_len" was not checked for negative values, leading to a "suffix" buffer overflow which can lead to privilege escalation, at least if radvd is compiled without GCC's stack protection. If radvd is invoked without privilege separation (the -u option), this can lead to an escalation to root privileges. Note: Red Hat Enterprise Linux starts radvd by default with the unprivileged user. (CVE-2011-3601) This is corrected in upstream git [1]. [1] https://github.com/reubenhwk/radvd/commit/9dfaaaf740ce784541e76e68de4ae04dce2c0921 Note: radvd is compiled with GCC stack protection on Red Hat Enterprise Linux 5 and later. Acknowledgements: Red Hat would like to thank Vasiliy Kulikov of Openwall for reporting this issue.
The version of radvd shipped with Red Hat Enterprise Linux 4, 5 and 6 does not have support for IPv6 Router Advertisement Options for DNS Configuration. Statement: Not Vulnerable. This issue does not affect the version of radvd package as shipped with Red Hat Enterprise Linux 4, 5 and 6.
This issue affects the version of radvd as shipped with Fedora 14 and 15.
Public via: http://thread.gmane.org/gmane.comp.security.oss.general/5973
Created radvd tracking bugs for this issue Affects: fedora-all [bug 744116]
radvd-1.8.2-2.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
radvd-1.8.2-2.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
radvd-1.8.2-2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.