Vulnerability Note VU#946652

pWhois Layer Four Traceroute 3.x vulnerability

Original Release date: 04 Apr 2011 | Last revised: 04 Apr 2011


Given a specific set of command line arguments, Layer Four Traceroute (lft) will produce a segmentation fault leading to a possible privilege escalation vulnerability.


pWhois Layer Four Traceroute 3.x contains a vulnerability when parsing command line arguments. Earlier versions of Layer Four Traceroute may also be vulnerable. Some distributions that package Layer Four Traceroute are not vulnerable because they do not install the 'lft' binary SETUID root.


If Layer Four Traceroute is installed SETUID root, a local attacker may be able to exploit the vulnerability for privilege escalation.


Apply an Update

Upgrade to Layer Four Traceroute 3.3 or later.


If upgrading to the latest version is not possible, do not install Layer Four Traceroute SETUID root. This will limit the application functionality for unprivileged users.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
pwhois_lftAffected19 Jan 201104 Apr 2011
Red Hat, Inc.Not Affected22 Feb 201104 Apr 2011
Slackware Linux Inc.Not Affected22 Feb 201104 Apr 2011
SUSE LinuxNot Affected22 Feb 201104 Apr 2011
UbuntuNot Affected22 Feb 201104 Apr 2011
Debian GNU/LinuxUnknown22 Feb 201122 Feb 2011
FreeBSD ProjectUnknown22 Feb 201122 Feb 2011
Gentoo LinuxUnknown22 Feb 201122 Feb 2011
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



Thanks to Markus Gothe for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2011-0765
  • Date Public: 04 Apr 2011
  • Date First Published: 04 Apr 2011
  • Date Last Updated: 04 Apr 2011
  • Document Revision: 17


If you have feedback, comments, or additional information about this vulnerability, please send us email.