Executive Summary

Summary
Title Updated libnfsidmap packages fix username lookup flaw
Informations
Name MDKSA-2007:240 First vendor Publication 2007-12-07
Vendor Mandriva Last vendor Modification 2007-12-07
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:H/Au:N/C:C/I:C/A:C)
Cvss Base Score 6.2 Attack Range Local
Cvss Impact Score 10 Attack Complexity High
Cvss Expoit Score 1.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

The NFSv4 ID mapper prior to 0.17 did not properly handle return values from the getpwnam_r() function when performing a username lookup, which could cause it to report a file as being owned by 'root' instead of 'nobody' if the file exists on the server but not the client.

The updated packages have been patched to correct these issues.

Original Source

Url : http://www.mandriva.com/security/advisories?name=MDKSA-2007:240

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:22280
 
Oval ID: oval:org.mitre.oval:def:22280
Title: ELSA-2007:0951: nfs-utils-lib security update (Important)
Description: The NFSv4 ID mapper (nfsidmap) before 0.17 does not properly handle return values from the getpwnam_r function when performing a username lookup, which can cause it to report a file as being owned by "root" instead of "nobody" if the file exists on the server but not on the client.
Family: unix Class: patch
Reference(s): ELSA-2007:0951-01
CVE-2007-3999
CVE-2007-4135
 Version: 13
Platform(s): Oracle Linux 5
 Product(s): nfs-utils-lib
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9864
 
Oval ID: oval:org.mitre.oval:def:9864
Title: The NFSv4 ID mapper (nfsidmap) before 0.17 does not properly handle return values from the getpwnam_r function when performing a username lookup, which can cause it to report a file as being owned by "root" instead of "nobody" if the file exists on the server but not on the client.
Description: The NFSv4 ID mapper (nfsidmap) before 0.17 does not properly handle return values from the getpwnam_r function when performing a username lookup, which can cause it to report a file as being owned by "root" instead of "nobody" if the file exists on the server but not on the client.
Family: unix Class: vulnerability
Reference(s): CVE-2007-4135
 Version: 5
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
 Product(s):
Definition Synopsis:

OpenVAS Exploits

Date Description
2009-04-09 Name : Mandriva Update for libnfsidmap MDKSA-2007:240 (libnfsidmap)
File : nvt/gb_mandriva_MDKSA_2007_240.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
45825 NFSv4 ID Mapper (nfsidmap) getpwnam_r Function Username Lookup File Ownership...

Nessus® Vulnerability Scanner

Date Description
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2007-0951.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20071004_nfs_utils_lib_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2010-01-06 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2007-0951.nasl - Type : ACT_GATHER_INFO
2007-12-11 Name : The remote Mandrake Linux host is missing one or more security updates.
File : mandrake_MDKSA-2007-240.nasl - Type : ACT_GATHER_INFO
2007-10-03 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2007-0951.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:39:04
  • Multiple Updates