Bugtraq mailing list archives

Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD

From: jvornehm () ece neu edu (Joseph E. Vornehm Jr.)
Date: Wed, 19 Aug 1998 11:30:46 -0400

Platforms:     Vulnerable:

               AIX: 4.0, 4.1, 4.2, 4.3
               HP-UX: 7.x, 8.x, 9.x, 10.x, 11.x
               SunOS: 4.1.3, 4.1.4
               Solaris: 2.3, 2.4, 2.5, 2.5.1, 2.6
               Redhat Linux: 4.0, 4.1, 4.2, 5.0, 5.1
               Slackware Linux: 3.0, 3.1, 3.2, 3.3, 3.4, 3.5
               OSF: 3.2



OK, TurboLinux 2.0 is NOT vulnerable, and neither is Redhat 5.1 despite
what it says up there.  Why?  Because neither TL nor RH 5.1 even include
rpc.pcnfsd (checked by querying every RPM package in both distributions,
grepping for 'pcnfs' -- no matches).


Did you look carefully on sunsite?

/pub/Linux/system/network/sunacm/Other/pcnfsd/pcnsfd-140.tar.gz

Notice there is a typo there. "pcnsfd"


It looks to me like the PCNFSD package wasn't included in any of the
official Red Hat distributions (or, based on Scott's comments, official
TurboLinux distributions).  If that's the case, why would Red Hat be
listed as a "vulnerable platform"?  First of all, as a vendor, Red Hat
should only be held accountable for the packages they include in the
"official" distribution.  Second, it's not even "Red Hat Linux" or
"Slackware Linux" that's vulnerable -- it's the PCNFSD package.

I'm not trying to say this specifically in defense of Red Hat -- it's
more a general concern.  If the package isn't part of the Frobnitz Linux
distribution, then saying that "the Frobnitz Linux distribution is
vulnerable" is incorrect and misleading.  It would be much more accurate
(and much less work for testing labs like RSI) to say something like,
"The Linux PCNFSD package is vulnerable (tested under Frobnitz Linux
3.2.5)."  (It's also extremely advisable to give extra information
identifying the package(s), because (especially with Linux) there are
often several packages that try to meet the same need.  In this case,
there are the linux_pcnfsd2.tgz package and the pcnsfd-140.tar.gz.)

On the other hand, if a package (such as bind) that _is_ part of the
Frobnitz Linux distribution is found vulnerable, then I want to hear
about it in the advisory.

One more point... If Slackware includes the PCNFSD package as part of
the official distribution, that might explain why Mr. Volkerding was so
helpful; Red Hat doesn't include it as part of their official
distribution, and that might explain why they were so disinterested.
(Does anyone from Slackware and/or Red Hat want to comment?)

Joe Vornehm
jvornehm () ece neu edu

Current thread:

RSI.0008.08-18-98.ALL.RPC_PCNFSD RSI Advise (Aug 18)
- Microsoft Security Bulletin (MS98-011) (fwd) brian j. peterson (Aug 18)
- Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD Scott Stone (Aug 19)
  - Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD Casper Dik (Aug 19)
- <Possible follow-ups>
- Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD Brian Martin (Aug 19)
  - Serious bug in Cisco PIX Robert Ståhlbrand (Aug 19)
  - Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD Alan Cox (Aug 19)
  - Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD Joseph E. Vornehm Jr. (Aug 19)
  - Security Bulletins Digest (fwd) Piotr Strzy¿ewski (Aug 19)
- Re: RSI.0008.08-18-98.ALL.RPC_PCNFSD Volker Borchert (Aug 19)