[17288] in bugtraq

home help back first fref pref prev next nref lref last post

Re: [RHSA-2000:087-02] Potential security problems in ping fixed.

daemon@ATHENA.MIT.EDU (Pekka Savola)
Fri Oct 20 20:35:42 2000

Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id:  <Pine.LNX.4.21.0010201935480.5385-100000@netcore.fi>
Date:         Fri, 20 Oct 2000 20:02:30 +0300
Reply-To: Pekka Savola <pekkas@NETCORE.FI>
From: Pekka Savola <pekkas@NETCORE.FI>
X-To:         "van der Kooij, Hugo" <Hugo.van.der.Kooij@CAIW.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <Pine.LNX.4.10.10010201408220.2643-100000@bastion.hugo.vanderkooij.org>

On Fri, 20 Oct 2000, van der Kooij, Hugo wrote:
> On Wed, 18 Oct 2000, Joe Laffey wrote:
>
> > On Wed, 18 Oct 2000 bugzilla@REDHAT.COM wrote:
> >
> > > ---------------------------------------------------------------------
> > >                    Red Hat, Inc. Security Advisory
> > >
> > > Synopsis:          Potential security problems in ping fixed.
> > > Advisory ID:       RHSA-2000:087-02
> > > Issue date:        2000-10-17
> > > Updated on:        2000-10-18
> > > Product:           Red Hat Linux
> > > Keywords:          ping buffer overflows
> >
> > [SNIP]
> > > 2. Relevant releases/architectures:
> > >
> > > Red Hat Linux 6.2 - i386, alpha, sparc
> > > Red Hat Linux 7.0 - i386
> > > Red Hat Linux 7.0J - i386
> >
> > [snip]
> >
> > Does this apply to 6.0 as well?
>
> As a rule of thumb:
> Any fix for 6.x is for all version of 6.x So if one is announced for 6.2
> you should considere 6.0 and 6.1 as suspect as well.

That's a good generic rule.

RHL 6.0 and previous used ping from netkit-base package (0.10).  Most of
the issues mentioned (static buffers, dropping root, for example) are
there at least to some extent.  Other issues have certainly been
introduced and others fixed since the split.

RHL 6.1+ use ping from A. Kuznetsov's iputils package.  This shares the
old netkit-base code base.

I'd say you'd be safer off upgrading from netkit-base to iputils +
inetd (which replace netkit-base package), from Errata + RHL 6.2, for
example.

--
Pekka Savola                 "Tell me of difficulties surmounted,
Pekka.Savola@netcore.fi      not those you stumble over and fall"
home help back first fref pref prev next nref lref last post