Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 7 Oct 2011 02:52:54 +0400
From: Solar Designer <>
Cc: Reuben Hawkins <>
Subject: radvd 1.8.2 released with security fixes


I was hoping that Vasiliy would post this, but he appears to be
unavailable at the moment.  Since the release is already out (and
postponing it seemed inappropriate), I decided to announce this on
oss-security sooner rather than later.

radvd-1.8.2/INTRO.html describes radvd as follows:

IPv6 has a lot more support for autoconfiguration than IPv4.  But for
this autoconfiguration to work on the hosts of a network, the routers of
the local network have to run a program which answers the
autoconfiguration requests of the hosts.

On Linux this program is called radvd, which stands for Router
ADVertisement Daemon.  This daemon listens to Router Solicitations (RS)
and answers with Router Advertisement (RA). [...]

Vasiliy Kulikov discovered a number of security vulnerabilities and some
other issues in radvd 1.8.1, and provided patches for some of them.

Reuben Hawkins, the current upstream maintainer for radvd, promptly
merged the patches, made additional fixes, and made the 1.8.2 release.

radvd-1.8.2/CHANGES describes 5 fixes that were determined to be of
security relevance:

1) A privilege escalation flaw was found in radvd, due to a buffer overflow
in the process_ra() function.  ND_OPT_DNSSL_INFORMATION option parsing
"label_len" was not checked for negative values, leading to a "suffix"
buffer overflow which can lead to privilege escalation, at least if
radvd is compiled without GCC's stack protection. If radvd is invoked
without privilege separation (the -u option), this can lead to an
escalation to root privileges.  Note: Red Hat Enterprise Linux starts
radvd by default with the unprivileged user. (CVE-2011-3601)

2) An arbitrary file overwrite flaw was found in radvd's
set_interface_var() function, where it did not check the interface name
(generated by the unprivileged user) and blindly overwrites a filename
with a decimal value by the root process.  If a local attacker could
create symlinks pointing to arbitrary files on the system, they could
overwrite the target file contents.  If only radvd is compromised (e.g.
no local access), the attacker may only overwrite files with specific
names only (PROC_SYS_IP6_* from radvd's pathnames.h). (CVE-2011-3602)

3) The radvd daemon would not fail on privsep_init() errors, which could
cause it to run with full root privileges when it should be running as
an unprivileged user. (CVE-2011-3603)

4) A number of buffer overread flaws were found in radvd's process_ra()
function due to numerous missed len() checks. This can lead to memory
reads outside of the stack, resulting in a crash of radvd.

5) A temporary denial of service flaw was found in radvd's process_rs()
function, where it would call mdelay() on the same thread in which it
handled all input.  If ->UnicastOnly were set, an attacker could cause a
flood with ND_ROUTER_SOLICIT and fill the input queue of the daemon.
This would cause a brief outage of approximately MAX_RA_DELAY_TIME / 2 *
sizeof_input_queue when handling new clients, where MAX_RA_DELAY_TIME is
500ms, leading to delays of more than a minute.  Note: this is only the
case in unicast-only mode; there is no denial of service in the (normal,
default) anycast mode. (CVE-2011-3605)

Some additional issues fixed in radvd 1.8.2 were determined to have no
obvious security relevance.

For those wanting a patch for review or backports, it is sufficient to
diff 1.8.2 against 1.8.1 - there are no unrelated changes.  SHA-1:

c7e8ac6222099c62519b9893f833440037352971  radvd-1.8.1.tar.gz
9a396ab58216c87308bc86a18864f84aeeba38a9  radvd-1.8.2.tar.gz

We'd like to thank Reuben Hawkins for prompt handling of these issues.
We're also grateful to linux-distros list members who have contributed
to the brief pre-disclosure discussion (5 days).

The linux-distros list is meant for medium severity issues.  Although
some of the radvd issues were high impact, Vasiliy and I felt that risk
probability during the embargo period was low enough that the overall
severity was medium.  Besides Linux distros, FreeBSD and NetBSD were


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.