Re: [RHSA-2000:087-02] Potential security problems in ping fixed.

[Pekka Savola <pekkas () NETCORE FI>]

On Fri, 20 Oct 2000, van der Kooij, Hugo wrote:
> On Wed, 18 Oct 2000, Joe Laffey wrote:
>
> > On Wed, 18 Oct 2000 bugzilla () REDHAT COM wrote:
> >
> > > ---------------------------------------------------------------------
> > >                    Red Hat, Inc. Security Advisory
> > >
> > > Synopsis:          Potential security problems in ping fixed.
> > > Advisory ID:       RHSA-2000:087-02
> > > Issue date:        2000-10-17
> > > Updated on:        2000-10-18
> > > Product:           Red Hat Linux
> > > Keywords:          ping buffer overflows
> >
> > [SNIP]
> > > 2. Relevant releases/architectures:
> > >
> > > Red Hat Linux 6.2 - i386, alpha, sparc
> > > Red Hat Linux 7.0 - i386
> > > Red Hat Linux 7.0J - i386
> >
> > [snip]
> >
> > Does this apply to 6.0 as well?
>
> As a rule of thumb:
> Any fix for 6.x is for all version of 6.x So if one is announced for 6.2
> you should considere 6.0 and 6.1 as suspect as well.

That's a good generic rule.

RHL 6.0 and previous used ping from netkit-base package (0.10).  Most of
the issues mentioned (static buffers, dropping root, for example) are
there at least to some extent.  Other issues have certainly been
introduced and others fixed since the split.

RHL 6.1+ use ping from A. Kuznetsov's iputils package.  This shares the
old netkit-base code base.

I'd say you'd be safer off upgrading from netkit-base to iputils +
inetd (which replace netkit-base package), from Errata + RHL 6.2, for
example.

--
Pekka Savola                 "Tell me of difficulties surmounted,
Pekka.Savola () netcore fi      not those you stumble over and fall"