Secure testing team - Oct 2011 - Bug#644614: multiple security issues in radvd 1.6

Package: radvd
Version: 1.6-1
Severity: grave
Tags: security
Justification: user security hole

Hey,

Solar Designer reported on http://seclists.org/oss-sec/2011/q4/30 that
multiple issues were found in radvd 1.8.1. Not all of them apply to
1.6-1 in squeeze or 1.8-1 in sid though.

As far as I can tell:

* CVE-2011-3601 (privilege escalation) is present in 1.8-1 but not in
  1.6-1 (no support for ND_OPT_DNSSL_INFORMATION in 1.6)
  Patch:
https://github.com/reubenhwk/radvd/commit/9dfaaaf740ce784541e76e68de4ae04dce2c0921
* CVE-2011-3602 (arbitrary file overwrite) is present in both versions
  Patch:
https://github.com/reubenhwk/radvd/commit/92e22ca23e52066da2258df8c76a2dca8a428bcc
* CVE-2011-3603 (failure to check privsep() errors) is present in both versions
  Patches:
https://github.com/reubenhwk/radvd/commit/2c50375043186e133f15135f4c93ca964238ee60
          
https://github.com/reubenhwk/radvd/commit/074816cd0b37aac7b3209987e6e998f0a847b275
          
https://github.com/reubenhwk/radvd/commit/7dc53cc3b792775369bf0b2f053a3f4ed5d87e3d
* CVE-2011-3604 (buffer overreads) is present in both versions
  Patch:
https://github.com/reubenhwk/radvd/commit/7de1b9abf87b747ee2611c0d2a94dfeee79878b4
* CVE-2011-3605 (denial of service in unicast mode) is present in both versions
  Patch:
 
https://github.com/reubenhwk/radvd/commit/2591d0189257caeaae2057dfed0a260310497a61

I''m reporting only one bug for all the issues, which can be fixed by
uploading 1.8.2-1 to unstable. For squeeze, backporting the patches
should be fairly straightforward.

Please add CVE numbers in the changelog.

Regards,
-- 
Yves-Alexis

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, ''unstable'')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

On ven., 2011-10-07 at 13:35 +0200, Yves-Alexis Perez
wrote:
> I''m reporting only one bug for all the issues, which can be fixed
by
> uploading 1.8.2-1 to unstable. For squeeze, backporting the patches
> should be fairly straightforward. 
Unless I hear some news from the maintainer I guess I''m gonna prepare a
stable upload. I can''t really find the procedure for preparing an
upload, make it and release a DSA (never really did that so...). I
looked at the doc/ folder in secure-testing folder but didn''t really
found the correct procedure.

I seem to recall something about claiming an issue to rt.debian.org but
besides that... :)

Regards,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111007/193169e9/attachment.pgp>

On ven., 2011-10-07 at 13:35 +0200, Yves-Alexis Perez
wrote:
> I''m reporting only one bug for all the issues, which can be fixed
by
> uploading 1.8.2-1 to unstable. For squeeze, backporting the patches
> should be fairly straightforward.
Attached is an attempted debdiff for stable-security.

Regards,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radvd-1.6-1..1.6-1.1.diff
Type: text/x-patch
Size: 8398 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111007/98abda77/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111007/98abda77/attachment-0001.pgp>

On ven., 2011-10-07 at 16:38 +0200, Yves-Alexis Perez
wrote:
> On ven., 2011-10-07 at 13:35 +0200, Yves-Alexis Perez wrote:
> > I''m reporting only one bug for all the issues, which can be
fixed by
> > uploading 1.8.2-1 to unstable. For squeeze, backporting the patches
> > should be fairly straightforward.
> 
> Attached is an attempted debdiff for stable-security.
> 
An updated fix for CVE-2011-3603 is available at
https://github.com/reubenhwk/radvd/commit/7a1471b62da88373e8f4209d503307c5d841b81f

so I''ll make an updated package for stable-security. 1.8.3 should be
released soon for the same reason.

Regards,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111012/ae409491/attachment.pgp>

On mer., 2011-10-12 at 15:00 +0200, Yves-Alexis Perez
wrote:
> On ven., 2011-10-07 at 16:38 +0200, Yves-Alexis Perez wrote:
> > On ven., 2011-10-07 at 13:35 +0200, Yves-Alexis Perez wrote:
> > > I''m reporting only one bug for all the issues, which can
be fixed by
> > > uploading 1.8.2-1 to unstable. For squeeze, backporting the
patches
> > > should be fairly straightforward.
> > 
> > Attached is an attempted debdiff for stable-security.
> > 
> An updated fix for CVE-2011-3603 is available at
>
https://github.com/reubenhwk/radvd/commit/7a1471b62da88373e8f4209d503307c5d841b81f
> 
> so I''ll make an updated package for stable-security. 1.8.3 should
be
> released soon for the same reason.
Here''s the updated debdiff.
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radvd_1.6-1_1.6-1.1.diff
Type: text/x-patch
Size: 9528 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111012/7217fa44/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111012/7217fa44/attachment.pgp>

On mer., 2011-10-12 at 15:56 +0200, Yves-Alexis Perez
wrote:
> On mer., 2011-10-12 at 15:00 +0200, Yves-Alexis Perez wrote:
> > On ven., 2011-10-07 at 16:38 +0200, Yves-Alexis Perez wrote:
> > > On ven., 2011-10-07 at 13:35 +0200, Yves-Alexis Perez wrote:
> > > > I''m reporting only one bug for all the issues,
which can be fixed by
> > > > uploading 1.8.2-1 to unstable. For squeeze, backporting the
patches
> > > > should be fairly straightforward.
> > > 
> > > Attached is an attempted debdiff for stable-security.
> > > 
> > An updated fix for CVE-2011-3603 is available at
> >
https://github.com/reubenhwk/radvd/commit/7a1471b62da88373e8f4209d503307c5d841b81f
> > 
> > so I''ll make an updated package for stable-security. 1.8.3
should be
> > released soon for the same reason.
> 
> Here''s the updated debdiff.
Here''s the debdiff for Lenny. Since I got no news from the maintainer,
I
guess I''ll prepare a 1.8.2 NMU with the 7a1471 patch backported for
unstable.

Regards,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radvd_1.1-3_1.1-3.1.diff
Type: text/x-patch
Size: 9590 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111014/94f99421/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111014/94f99421/attachment.pgp>

On ven., 2011-10-14 at 09:10 +0200, Yves-Alexis Perez
wrote:
> Here''s the debdiff for Lenny. Since I got no news from the
maintainer, I
> guess I''ll prepare a 1.8.2 NMU with the 7a1471 patch backported
for
> unstable. 
1.8.3 is out but that makes a diff a bit too huge for an NMU maybe.
Backporting only the relevant patch makes it a bit smaller, so here''s
the debdiff I''m gonna upload to DELAYED/2.

Regards,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radvd_1.8-1_1.8-1.1.diff
Type: text/x-patch
Size: 9574 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111014/40866aae/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111014/40866aae/attachment.pgp>

On Friday 14 October 2011, Yves-Alexis Perez wrote:
> On ven., 2011-10-14 at 09:10 +0200, Yves-Alexis Perez wrote:
> > Here''s the debdiff for Lenny. Since I got no news from the
maintainer, I
> > guess I''ll prepare a 1.8.2 NMU with the 7a1471 patch
backported for
> > unstable.
I can take care of the upload to (old/)stable and DSA.

/luciano

On dim., 2011-10-16 at 01:36 +0200, Luciano Bello wrote:
> On Friday 14 October 2011, Yves-Alexis Perez wrote:
> > On ven., 2011-10-14 at 09:10 +0200, Yves-Alexis Perez wrote:
> > > Here''s the debdiff for Lenny. Since I got no news from
the maintainer, I
> > > guess I''ll prepare a 1.8.2 NMU with the 7a1471 patch
backported for
> > > unstable.
> 
> I can take care of the upload to (old/)stable and DSA.
> 
That''d be nice, I''m not sure if I can do the upload or not but
I''m quite
sure I can''t do the DSA.

Regards,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111016/0e49fd1d/attachment.pgp>

On ven., 2011-10-14 at 23:26 +0200, Yves-Alexis Perez
wrote:
> On ven., 2011-10-14 at 09:10 +0200, Yves-Alexis Perez wrote:
> > Here''s the debdiff for Lenny. Since I got no news from the
maintainer, I
> > guess I''ll prepare a 1.8.2 NMU with the 7a1471 patch
backported for
> > unstable. 
> 
> 1.8.3 is out but that makes a diff a bit too huge for an NMU maybe.
> Backporting only the relevant patch makes it a bit smaller, so
here''s
> the debdiff I''m gonna upload to DELAYED/2.
> 
Fix for CVE-2011-3601 was missing so here''s the debdiff to the -1.2
NMU,
just uploaded to unstable.

Regards,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radvd_1.8-1.1_1.8-1.2.diff
Type: text/x-patch
Size: 2570 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111017/9da24a8e/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111017/9da24a8e/attachment.pgp>