Re: Clarification on FreeBSD-SA-22:15.ping / CVE-2022-23093 ping(8) stack overflow

From: Ted Hatfield <ted_at_io-tx.com>
Date: Tue, 13 Dec 2022 08:35:36 UTC
On Mon, 12 Dec 2022, Ed Maste wrote:

> We've seen many blog posts and news articles about this issue and
> unfortunately most of them get the details wrong. So, to clarify:
>
> - This issue affects only /sbin/ping, not kernel ICMP handling.
> - The issue relies on receipt of malicious packet(s) while the ping
>  utility is running (i.e., while pinging a host).
> - ping(8) is setuid root, but drops privilege (to that of the user
>  executing it) after opening sockets but before sending or receiving
>  data.
> - ping(8) runs in a Capsicum capability sandbox, such that even in the
>  event of a compromise the attacker is quite limited (has no access to
>  global namespaces, such as the filesystem).
> - It is believed that exploitation is not possible due to the stack
>  layout on affected platforms.
>
>

Thanks for the detailed summation.

Ted