CVE-2008-2357

UNRATEDMemory safety

Description

Stack-based buffer overflow in the split_redraw function in split.c in mtr before 0.73, when invoked with the -p (aka --split) option, allows remote attackers to execute arbitrary code via a crafted DNS PTR record. NOTE: it could be argued that this is a vulnerability in the ns_name_ntop function in resolv/ns_name.c in glibc and the proper fix should be in glibc; if so, then this should not be treated as a vulnerability in mtr.

Affected products

matt_kimball_and_roger_wolff / mtr0.72
matt_kimball_and_roger_wolff / mtr0.21 – 0.21
matt_kimball_and_roger_wolff / mtr0.22 – 0.22
matt_kimball_and_roger_wolff / mtr0.23 – 0.23
matt_kimball_and_roger_wolff / mtr0.24 – 0.24
matt_kimball_and_roger_wolff / mtr0.25 – 0.25
matt_kimball_and_roger_wolff / mtr0.26 – 0.26
matt_kimball_and_roger_wolff / mtr0.27 – 0.27
matt_kimball_and_roger_wolff / mtr0.28 – 0.28
matt_kimball_and_roger_wolff / mtr0.29 – 0.29
matt_kimball_and_roger_wolff / mtr0.30 – 0.30
matt_kimball_and_roger_wolff / mtr0.31 – 0.31
matt_kimball_and_roger_wolff / mtr0.32 – 0.32
matt_kimball_and_roger_wolff / mtr0.33 – 0.33
matt_kimball_and_roger_wolff / mtr0.34 – 0.34
matt_kimball_and_roger_wolff / mtr0.35 – 0.35
matt_kimball_and_roger_wolff / mtr0.36 – 0.36
matt_kimball_and_roger_wolff / mtr0.37 – 0.37
matt_kimball_and_roger_wolff / mtr0.38 – 0.38
matt_kimball_and_roger_wolff / mtr0.39 – 0.39
matt_kimball_and_roger_wolff / mtr0.40 – 0.40
matt_kimball_and_roger_wolff / mtr0.41 – 0.41
matt_kimball_and_roger_wolff / mtr0.42 – 0.42
matt_kimball_and_roger_wolff / mtr0.43 – 0.43
matt_kimball_and_roger_wolff / mtr0.44 – 0.44
matt_kimball_and_roger_wolff / mtr0.45 – 0.45
matt_kimball_and_roger_wolff / mtr0.46 – 0.46
matt_kimball_and_roger_wolff / mtr0.47 – 0.47
matt_kimball_and_roger_wolff / mtr0.48 – 0.48
matt_kimball_and_roger_wolff / mtr0.49 – 0.49
matt_kimball_and_roger_wolff / mtr0.50 – 0.50
matt_kimball_and_roger_wolff / mtr0.51 – 0.51
matt_kimball_and_roger_wolff / mtr0.52 – 0.52
matt_kimball_and_roger_wolff / mtr0.53 – 0.53
matt_kimball_and_roger_wolff / mtr0.54 – 0.54
matt_kimball_and_roger_wolff / mtr0.55 – 0.55
matt_kimball_and_roger_wolff / mtr0.56 – 0.56
matt_kimball_and_roger_wolff / mtr0.57 – 0.57
matt_kimball_and_roger_wolff / mtr0.58 – 0.58
matt_kimball_and_roger_wolff / mtr0.59 – 0.59
matt_kimball_and_roger_wolff / mtr0.60 – 0.60
matt_kimball_and_roger_wolff / mtr0.61 – 0.61
matt_kimball_and_roger_wolff / mtr0.62 – 0.62
matt_kimball_and_roger_wolff / mtr0.63 – 0.63
matt_kimball_and_roger_wolff / mtr0.64 – 0.64
matt_kimball_and_roger_wolff / mtr0.65 – 0.65
matt_kimball_and_roger_wolff / mtr0.66 – 0.66
matt_kimball_and_roger_wolff / mtr0.67 – 0.67
matt_kimball_and_roger_wolff / mtr0.68 – 0.68
matt_kimball_and_roger_wolff / mtr0.69 – 0.69
matt_kimball_and_roger_wolff / mtr0.70 – 0.70
matt_kimball_and_roger_wolff / mtr0.71 – 0.71

References

VENDOR_ADVISORYhttp://secunia.com/advisories/30340
VENDOR_ADVISORYhttp://secunia.com/advisories/30522
MISChttp://www.securityfocus.com/archive/1/492260/100/0/threaded
VENDOR_ADVISORYhttp://secunia.com/advisories/30312
VENDOR_ADVISORYhttp://www.mandriva.com/security/advisories?name=MDVSA-2008:176
MISChttp://www.securityfocus.com/bid/29290
MISChttp://security.gentoo.org/glsa/glsa-200806-01.xml
MAILING_LISThttp://www.openwall.com/lists/oss-security/2008/05/21/3
VENDOR_ADVISORYhttp://secunia.com/advisories/30967
VENDOR_ADVISORYhttp://secunia.com/advisories/30359
MISChttps://exchange.xforce.ibmcloud.com/vulnerabilities/42535
MAILING_LISThttp://www.openwall.com/lists/oss-security/2008/05/21/4
MISChttp://securityreason.com/securityalert/3903
VENDOR_ADVISORYhttp://www.debian.org/security/2008/dsa-1587
MAILING_LISThttp://lists.opensuse.org/opensuse-security-announce/2008-07/msg00001.html
VENDOR_ADVISORYhttp://wiki.rpath.com/wiki/Advisories:rPSA-2008-0175
MAILING_LISThttp://seclists.org/fulldisclosure/2008/May/0488.html
MAILING_LISThttp://www.openwall.com/lists/oss-security/2008/05/21/1
MISChttp://www.securitytracker.com/id?1020046
MISChttps://issues.rpath.com/browse/RPL-2558
MISCftp://ftp.bitwizard.nl/mtr/mtr-0.73.diff