From owner-freebsd-bugs  Sun Sep  8 06:40:03 1996
Return-Path: owner-bugs
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id GAA01145
          for bugs-outgoing; Sun, 8 Sep 1996 06:40:03 -0700 (PDT)
Received: (from gnats@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id GAA01137;
          Sun, 8 Sep 1996 06:40:01 -0700 (PDT)
Date: Sun, 8 Sep 1996 06:40:01 -0700 (PDT)
Message-Id: <199609081340.GAA01137@freefall.freebsd.org>
To: freebsd-bugs
Cc: 
From: roberto@keltia.freenix.fr (Ollivier Robert)
Subject: Re: bin/1581: Traceroute SECURITY PROBLEM -- PRIORITY 1
Reply-To: roberto@keltia.freenix.fr (Ollivier Robert)
Sender: owner-bugs@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

The following reply was made to PR bin/1581; it has been noted by GNATS.

From: roberto@keltia.freenix.fr (Ollivier Robert)
To: karl@Codebase.mcs.net
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/1581: Traceroute SECURITY PROBLEM -- PRIORITY 1
Date: Sun, 8 Sep 1996 15:33:16 +0200

 According to Karl:
 > 	Diff enclosed fixes problem.  Two things are done:
 > 	1)	strcpys replaced with strncpys specifying length
 > 	2)	SUID privileges relinquished once socket is acquired; they
 > 		are no longer necessary.
 
 While I agree with the strcpy -> strncpy changes, you should note that
 priviledges are relinquished for a long time...
 
 #ifndef lint
 static char *rcsid =
     "@(#)$Header: /spare/FreeBSD-current/src/usr.sbin/traceroute/traceroute.c,v 
 1.10 1996/08/21 05:59:19 peter Exp $ (LBL)";
 #endif
 
 [...line 299...]
         /*
          * Do the setuid-required stuff first, then lose priveleges ASAP.
          * Do error checking for these two calls where they appeared in
          * the original code.
          */
         pe = getprotobyname("icmp");
         if (pe) {
                 if ((s = socket(AF_INET, SOCK_RAW, pe->p_proto)) < 0)
                         sockerrno = errno;
                 else if ((sndsock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
                         sockerrno = errno;
         }
 
         setuid(getuid());
 [...]
 
 So the attack can't be used for getting root priv.
 -- 
 Ollivier ROBERT    -=- The daemon is FREE! -=-    roberto@keltia.freenix.fr
 FreeBSD keltia.freenix.fr 2.2-CURRENT #21: Sun Sep  8 14:35:00 MET DST 1996