---------------------------------------------------------------------
Red Hat, Inc. Security Advisory
Synopsis: new NFS server packages available (5.2, 4.2)
Advisory ID: RHSA-1999:053-01
Issue date: 1999-11-11
Updated on: 1999-11-11
Keywords: nfs-server PATH_MAX NAME_MAX rpc.nfsd
Cross references: Bugtraq id #782
---------------------------------------------------------------------
1. Topic:
A buffer overflow exists in the user space NFS daemon that
shipped with Red Hat Linux 4.2 and 5.2.
2. Relevant releases/architectures:
Red Hat Linux 4.x, all platforms
Red Hat Linux 5.x, all platforms
Red Hat Linux 6.x uses the knfsd kernel space NFS daemon,
and is not affected by this problem.
3. Problem description:
The length of a path name was not checked on the
removal of a directory. If a long enough directory name
was created, the buffer holding the pathname would
overflow, and the possibility exists that arbitrary
code could be executed as the user the NFS server runs
as (root). Exploiting this buffer overflow does require
read/write access to a share on an affected server.
4. Solution:
It is recommended that all users of Red Hat Linux 4.x
and 5.x update to the fixed packages.
Thanks go to Olaf Kirch (okir@monad.swb.de) for providing
a fix.
For each RPM for your particular architecture, run:
rpm -Uvh <filename>
where filename is the name of the RPM.
You can verify each package with the following command:
rpm --checksig <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nogpg <filename>
