Re: FreeBSD-SA-25:12.rtsold.asc clarification needed
Date: Mon, 22 Dec 2025 22:05:06 UTC
On 12/22/2025 4:51 PM, Polarian wrote: > Hey, > >> I am trying to understand if rtsold is not running and not enabled, >> what from the kernel would spin that up to expose the code path that >> is patched in the advisory? > I don't get where you are getting a kernel vulnerability from. > > The advisory already explains that the RCE comes from a lack of input > validation on the domain search field. This is a userspace > vulnerability. > > This passed to resolvconf which does not validate its input, which > therefore allows for an RCE. > > So why we talking about code paths within the kernel? Its not within > the networking stack, it is a vulnerability within the userspace > utilities. When I asked if patching the userland code was enough, you said no. From what I understand having ACCEPT_RTADV on an interface means the kernel is processing rtadv packets. The advisory mentions that, but it seems thats not sufficient to trigger the bug, as rtsold is the one that processes the unchecked DNS info. i.e. you need both ACCEPT_RTADV enabled and rtsold enabled, no ? If just having ACCEPT_RTADV enabled would lead to an exploit, that implies a kernel bug no ? I just want to confirm if *not* running rtsold is enough to avoid this bug or just having the mere presence of IPv6 can lead to exploit. If the latter, how is that actually working. ---Mike