Bug 50321 (CVE-2004-0154)

Summary:	VUL-0: CVE-2004-0154: nfs-utils: remote denial-of-service
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Thomas Biege <thomas>
Component:	Incidents	Assignee:	Ruediger Oertel <ro>
Status:	RESOLVED INVALID	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	security-team
Version:	unspecified
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	CVE-2004-0154: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Thomas Biege 2004-03-04 16:16:55 UTC

Moin, 
Mark Cox from RH posted on vendor-sec to point us to a denial-of-service 
condition. 

From: Mark J Cox <mjc@redhat.com> 
To: vendor-sec@lst.de 
Subject: [vendor-sec] nfs-utils DoS 

See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=209318 which I've 
traced as an issue that has also been reported to redhat bugzilla by a 
user.  Looks like a remote DoS to anyone who has rights to mount a 
directory. 

Debian allocated CAN-2004-0154 to this issue, only affects nfs-utils 
after 1.0.3 and before 1.0.6. 

No embargo; fix at will. 

Thanks, Mark 
-- 
Mark J Cox / Red Hat Security Response Team

Comment 1 Thomas Biege 2004-03-04 16:16:55 UTC

<!-- SBZ_reproduce  -->
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=209318

Comment 2 Ruediger Oertel 2004-03-04 19:11:29 UTC

"after 1.0.3 and before 1.0.6" 
yippie ... "no such file or directory" 
 
/work/SRC/old-versions/8.1/UL/all/nfs-utils/nfs-utils-1.0.1.tar.bz2 
/work/SRC/old-versions/8.1/SLEC/all/nfs-utils/nfs-utils-1.0.1.tar.bz2 
/work/SRC/old-versions/8.2/all/nfs-utils/nfs-utils-1.0.1.tar.bz2 
/work/SRC/old-versions/9.0/all/nfs-utils/nfs-utils-1.0.6.tar.bz2 
/work/SRC/all/nfs-utils/nfs-utils-1.0.6.tar.bz2

Comment 3 Ruediger Oertel 2004-03-04 23:01:27 UTC

closing, we're not vulnerable

Comment 4 Thomas Biege 2009-10-13 20:16:54 UTC

CVE-2004-0154: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)