Skip to navigation

Security Advisory Important: nfs-utils-lib security update

Advisory: RHSA-2007:0951-2
Type: Security Advisory
Severity: Important
Issued on: 2007-10-02
Last updated on: 2007-10-02
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2007-3999
CVE-2007-4135

Details

An updated nfs-utils-lib package to correct two security flaws is now
available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

The nfs-utils-lib package contains support libraries that are needed by the
commands and daemons of the nfs-utils package.

The updated nfs-utils package fixes the following vulnerabilities:

Tenable Network Security discovered a stack buffer overflow flaw in the RPC
library used by nfs-utils-lib. A remote unauthenticated attacker who can
access an application linked against nfs-utils-lib could trigger this flaw
and cause the application to crash. On Red Hat Enterprise Linux 5 it is not
possible to exploit this flaw to run arbitrary code as the overflow is
blocked by FORTIFY_SOURCE. (CVE-2007-3999)

Tony Ernst from SGI has discovered a flaw in the way nfsidmap maps NFSv4
unknown uids. If an unknown user ID is encountered on an NFSv4 mounted
filesystem, the files will default to being owned by 'root' rather than
'nobody'. (CVE-2007-4135)

Users of nfs-utils-lib are advised to upgrade to this updated package,
which contains backported patches to resolve these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
nfs-utils-lib-1.0.8-7.2.z2.src.rpm
File outdated by:  RHEA-2012:0299
    MD5: 80a7bf1fdfb74b567f0b98882b5de084
 
IA-32:
nfs-utils-lib-devel-1.0.8-7.2.z2.i386.rpm
File outdated by:  RHEA-2012:0299
    MD5: c890d8f2e7e6b5fa0bb0878936f343ad
 
x86_64:
nfs-utils-lib-devel-1.0.8-7.2.z2.i386.rpm
File outdated by:  RHEA-2012:0299
    MD5: c890d8f2e7e6b5fa0bb0878936f343ad
nfs-utils-lib-devel-1.0.8-7.2.z2.x86_64.rpm
File outdated by:  RHEA-2012:0299
    MD5: 33fe924d3a325d426858b6aad70f1fe6
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
nfs-utils-lib-1.0.8-7.2.z2.src.rpm
File outdated by:  RHEA-2012:0299
    MD5: 80a7bf1fdfb74b567f0b98882b5de084
 
IA-32:
nfs-utils-lib-1.0.8-7.2.z2.i386.rpm
File outdated by:  RHEA-2012:0299
    MD5: 4a7766d840a3b84ba568a283a3acf1d3
nfs-utils-lib-devel-1.0.8-7.2.z2.i386.rpm
File outdated by:  RHEA-2012:0299
    MD5: c890d8f2e7e6b5fa0bb0878936f343ad
 
IA-64:
nfs-utils-lib-1.0.8-7.2.z2.ia64.rpm
File outdated by:  RHEA-2012:0299
    MD5: b49bcc58f42fe1a3c1fb01aa86f40749
nfs-utils-lib-devel-1.0.8-7.2.z2.ia64.rpm
File outdated by:  RHEA-2012:0299
    MD5: 981f9c4878a63f59d23c1b56e88a4488
 
PPC:
nfs-utils-lib-1.0.8-7.2.z2.ppc.rpm
File outdated by:  RHEA-2012:0299
    MD5: f9b8f236a9cd1e0af83e75c6328034ef
nfs-utils-lib-1.0.8-7.2.z2.ppc64.rpm
File outdated by:  RHEA-2012:0299
    MD5: 15f30c10412135fe3c72c3810fbff021
nfs-utils-lib-devel-1.0.8-7.2.z2.ppc.rpm
File outdated by:  RHEA-2012:0299
    MD5: e9010a2a7b9051ef213535caf3720c82
nfs-utils-lib-devel-1.0.8-7.2.z2.ppc64.rpm
File outdated by:  RHEA-2012:0299
    MD5: 6d0ff75429edca9126c9eb3c03a61060
 
s390x:
nfs-utils-lib-1.0.8-7.2.z2.s390.rpm
File outdated by:  RHEA-2012:0299
    MD5: 45ec57215f2edd048a6fbf06bcc0fefe
nfs-utils-lib-1.0.8-7.2.z2.s390x.rpm
File outdated by:  RHEA-2012:0299
    MD5: ba87ae35fc6b3fefd91bf158d0c77d5d
nfs-utils-lib-devel-1.0.8-7.2.z2.s390.rpm
File outdated by:  RHEA-2012:0299
    MD5: f0cc242918a225377f7b05302a82d5a7
nfs-utils-lib-devel-1.0.8-7.2.z2.s390x.rpm
File outdated by:  RHEA-2012:0299
    MD5: dea17a87ca13c7859fdac6607cd489d1
 
x86_64:
nfs-utils-lib-1.0.8-7.2.z2.i386.rpm
File outdated by:  RHEA-2012:0299
    MD5: 4a7766d840a3b84ba568a283a3acf1d3
nfs-utils-lib-1.0.8-7.2.z2.x86_64.rpm
File outdated by:  RHEA-2012:0299
    MD5: 0319d4618fd0cfc2ae148f91cb37eb2e
nfs-utils-lib-devel-1.0.8-7.2.z2.i386.rpm
File outdated by:  RHEA-2012:0299
    MD5: c890d8f2e7e6b5fa0bb0878936f343ad
nfs-utils-lib-devel-1.0.8-7.2.z2.x86_64.rpm
File outdated by:  RHEA-2012:0299
    MD5: 33fe924d3a325d426858b6aad70f1fe6
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
nfs-utils-lib-1.0.8-7.2.z2.src.rpm
File outdated by:  RHEA-2012:0299
    MD5: 80a7bf1fdfb74b567f0b98882b5de084
 
IA-32:
nfs-utils-lib-1.0.8-7.2.z2.i386.rpm
File outdated by:  RHEA-2012:0299
    MD5: 4a7766d840a3b84ba568a283a3acf1d3
 
x86_64:
nfs-utils-lib-1.0.8-7.2.z2.i386.rpm
File outdated by:  RHEA-2012:0299
    MD5: 4a7766d840a3b84ba568a283a3acf1d3
nfs-utils-lib-1.0.8-7.2.z2.x86_64.rpm
File outdated by:  RHEA-2012:0299
    MD5: 0319d4618fd0cfc2ae148f91cb37eb2e
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

250973 - CVE-2007-3999 krb5 RPC library buffer overflow
254040 - CVE-2007-4135 nfs-utils-lib NFSv4 user id mapping flaw


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/