Some security issues and vulnerabilities have been reported in radvd, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to cause a DoS (Denial of Service).

1) A signedness error within the "process_ra()" function (process.c) when parsing the "ND_OPT_DNSSL_INFORMATION" option can be exploited to cause a stack-based buffer overflow.

2) An input sanitation error within the "set_interface_var()" function (device-linux.c) can be exploited to e.g. overwrite arbitrary files via directory traversal and symlink attacks.

3) The daemon does not properly terminate if the privilege separation failed, which can lead to the daemon running with higher privileges than intended.

4) Boundary errors within the "process_ra()" function (process.c) can be exploited to cause out-of-bounds reads and crash the service.

5) An error within the unicast-only mode can be exploited to cause a delay within the processing by flooding the service with ND_ROUTER_SOLICIT messages.

Note: Successful exploitation of this vulnerability requires that the service is running in unicast-only mode.

The security issues and vulnerabilities are reported in version 1.8.1. Prior versions may also be affected.

Solution
Update to version 1.8.3.

Provided and/or discovered by
Vasiliy Kulikov

Changelog
Further details available to Secunia VIM customers

Original Advisory
http://www.openwall.com/lists/oss-security/2011/10/06/3
https://github.com/reubenhwk/radvd/blob/fc207cc6a2de572226133276ee30a9a313dca902/CHANGES
https://github.com/reubenhwk/radvd/commit/7a1471b62da88373e8f4209d503307c5d841b81f

Deep Links
Links available to Secunia VIM customers