Re: Serious security flaw in rpc.mountd on several operating

[deraadt () CVS OPENBSD ORG (Theo de Raadt)]

> > I'm not sure exactly what systems this vulnerability affects, but clearly
> > it is a serious problem.
>
> Since then, It has been confirmed that this hole is present on at least
> some distributions/versions of Linux, Ultrix, NetBSD, OpenBSD, SunOS,
> Solaris, and probably many many more.

This was solved well before 2.1 shipped.  The problem did exist in
2.0, but that's about a year old now, and has been replaced with 2.1.

Here's the log entry:

----
symbolic names:
        OPENBSD_2_1: 1.16.0.2
        OPENBSD_2_0: 1.11.0.2
        ...
revision 1.12
date: 1996/12/05 23:14:27;  author: millert;  state: Exp;  lines: +14 -9
Stop info gathering attack pointed out by Alan Cox <alan () cymru net>
Only return ENOENT if the dir trying to be mounted is really exported
to the client.  Return EACCESS if not exported.
----

Now, if I remember, Alan had posted the information about this to
BUGTRAQ, thus prompting us to fix it (there is a small chance that the
problem report actually came to us via David Holland, though).

Anyways, this is not a new bug.  (It's just that most people didn't
fix it).