COMMAND

    /dev

SYSTEMS AFFECTED

    NetBSD, FreeBSD -current, OpenBSD

PROBLEM

    Hubert Feyrer  found following.   In {Free,Net,Open}BSD,  any user
    can mount a filesystem as long as he owns the mountpoint, and  has
    appropriate access to the device  to mount from.  Almost!  For the
    cd9660 filesystem (and  at least on  NetBSD, the filecorefs)  this
    second  check  was  not  performed,  and  any user was able to and
    access a CDROM whether /dev/cd0a was accessible to him or not.

SOLUTION

    This  was  fixed  in  NetBSD  on  19980905  by Charles Hannum, the
    problem is still present  in Free- and OpenBSD  as of the time  of
    this writing.

    Note that in OpenBSD only  the superuser may mount filesystems  by
    default.  This can be changed by setting the kern.usermount sysctl
    to 1.   The same  goes for  FreeBSD.   Also, the  problem is  only
    relevant for FreeBSD-current,  not -stable or  the releases -  ie,
    2.2.* does not seem vulnerable.