OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: traceroute 1.4a6
From: Tim Robbins (fyrebox3n.gumbynet.org)
Date: Tue Sep 26 2000 - 19:10:50 CDT

I've been meaning to send this message for about a week now... The patch
attached to this message fixes the following problems with traceroute
1.4a6:

* Assumes argv[0] to be non-NULL in main() when finding `prog', name of the
  current program, which causes a segmentation fault when manipulated to find
  the basename of the program. If argv[0] is NULL (argc == 0), the hardcoded
  name "traceroute" is used to avoid this.
* Should open sockets and drop privileges as soon as possible. Make sure the
  calls to set[ug]id() don't result in an error due to strange things happening
  eg. interrupted system calls, capabilities. Idea for this from OpenBSD, but
  no OpenBSD code used.
* Open /dev/null instead of "." to ensure raw socket file descriptor > 2,
  don't waste unneeded file descriptors.
* Maximum wait time of one hour introduced to stop overflow in function
  wait_for_reply(): wait.tv_sec = tp->tv_sec + waittime
* Stopped the result of str2val (int) overflowing port (u_short) with -p
  option.
* Check that the packet length specified on the command line does not exceed
  `maxpacket'. Could have been used to cause resource starvation denial of
  service attack since the memory was allocated as the superuser, bypassing
  any resource limits in place.
* Changed '[ -p port]' to '[-p port]' in usage information, not a security
  fix :)

Cheers,
  Tim