Directory traversal vulnerability in device-linux.c in the router advertisement daemon (radvd) before 1.8.2 allows local users to overwrite arbitrary files, and remote attackers to overwrite certain files, via a .. (dot dot) in an interface name. NOTE: this can be leveraged with a symlink to overwrite arbitrary files.
The information has been provided by Vasiliy Kulikov of Openwall.
* router advertisement daemon (radvd) 1.8.1 and earlier
* router advertisement daemon (radvd) 1.8.2 and later
An arbitrary file overwrite flaw was found in radvd's set_interface_var() function, where it did not check the interface name (generated by the unprivileged user) and blindly overwrites a filename with a decimal value by the root process. If a local attacker could create symlinks pointing to arbitrary files on the system, they could overwrite the target file contents. If only radvd is compromised (e.g. no local access), the attacker may only overwrite files with specific
names only (PROC_SYS_IP6_* from radvd's pathnames.h).