COMMAND

    kernel

SYSTEMS AFFECTED

    NetBSD 1.3.X,  NetBSD-current to  19990409, and  early versions of
    NetBSD-1.4_ALPHA

PROBLEM

    Following  is  based  on  NetBSD  Security Advisory.  Unprivileged
    users can trigger a file-system locking error, causing the  system
    to panic or hang.  The following command sequence will trigger the
    vulnerability:

        % ln -s ./ test
        % ln -s ./ test

    Certain  kernel  operations,  such  as  creating  a symbolic link,
    request that the namei()  path name resolution routine  not unlock
    the  node  of  the  directory  containing  the found file, instead
    returning it  to the  caller locked.   When the  found file  is  a
    symbolic link, this  parent must be  unlocked before the  symbolic
    link is looked  up. This problem  results from the  test to unlock
    the  parent  differing  from  the  test  to  lock the parent.  The
    difference only manifests itself in the case of a path name  which
    ends with a symbolic link ending with one or more "/"  characters.
    NetBSD  1.3.3  and  prior  hang   when  this  bug  is   exercised.
    NetBSD-current was  enhanced to  notice locking  problems and thus
    panics instead of hanging.

    The NetBSD Project  would like to  thank Antti Kantee  and Matthew
    Orgass for providing information  about this problem, and  William
    Studenmund for providing a solution.

SOLUTION

    There are no workarounds for this problem.  A patched kernel  must
    be installed to fix this problem.  A patch is available for NetBSD
    1.3.3 which fixes this  problem.  You may  find this patch on  the
    NetBSD ftp server:

        ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/19990412-vfs_lookup

    NetBSD-current  since  19990409  is  not  vulnerable.   Users   of
    NetBSD-current should upgrade to a source tree later than 19990409