Headline
CVE-2023-46316: CVE-2023-46316
In buc Traceroute 2.0.12 through 2.1.2 before 2.1.3, the wrapper scripts do not properly parse command lines.
Name
CVE-2023-46316
Description
In buc Traceroute 2.0.12 through 2.1.2 before 2.1.3, the wrapper scripts do not properly parse command lines.
Source
CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package
Release
Version
Status
traceroute (PTS)
buster
1:2.1.0-2
vulnerable
bullseye
1:2.1.0-2+deb11u1
vulnerable
bookworm
1:2.1.2-1
vulnerable
sid, trixie
1:2.1.3-1
fixed
The information below is based on the following data on fixed versions.
Package
Type
Release
Fixed Version
Urgency
Origin
Debian Bugs
traceroute
source
(unstable)
1:2.1.3-1
Notes
[bookworm] - traceroute <no-dsa> (Minor issue)
[bullseye] - traceroute <no-dsa> (Minor issue)
[buster] - traceroute <no-dsa> (Minor issue)
https://sourceforge.net/projects/traceroute/files/traceroute/traceroute-2.1.3/
Related news
Red Hat Security Advisory 2024-2483-03 - An update for traceroute is now available for Red Hat Enterprise Linux 9.
Ubuntu Security Notice 6478-1 - It was discovered that Traceroute did not properly parse command line arguments. An attacker could possibly use this issue to execute arbitrary commands.