NetWinder.org - NetWinder security advisory Page

NAVIGATION

About
News
Support

Downloads
- Search
- Mirrors
- Auto update

Documentation
- FAQ
- HOWTOs
- ARM info
- Crusoe info

Development
- Toolchain
- Autobuild
- Users

Sponsored by:

NetWinder security advisory

ID	2000-011
Issued	2000-Jul-18
Package	nfs-utils
Summary	nfs-utils remote root compromise
Category	Improper input validation (format string)
Severity	High (remote root compromise)
Products	Developer dm-3.1-15 and earlier
	OfficeServer os-1.5-4 and earlier

DESCRIPTION

The "rpc.statd" daemon in the "nfs-utils" package is susceptible to a format string attack by which a remote user could gain root access to the system.

SOLUTION

Download the following RPM packages to the NetWinder into a temporary directory, then install them with the command "rpm -Uvh *.rpm". Be sure there are no other files ending in ".rpm" in the temporary directory. See http://www.netwinder.org/security/install.html for more help.

Required packages

http://www.netwinder.org/updates/armv4l/nfs-utils-0.1.9.1-1.armv4l.rpm

REFERENCES

Reported on Bugtraq by Daniel Jacobowitz on July 16, 2000. Patched RPMs issued by RedHat on July 17th, 2000.