COMMAND
	    mount
SYSTEMS AFFECTED
	    NetBSD 1.3.3
PROBLEM
	    On a  system where  all partitions  writable by  regular users are
	    mounted with  the `noexec'  option, a  regular user  should not be
	    able to execute a  binary which was not  put on the system  by the
	    administrator.  Insufficient checks  in the mount system  call may
	    allow  a  regular  user  to  mount  a device, remote host or local
	    directory without  the `noexec'  option, allowing  them to execute
	    arbitrary binaries.
	    The  mount  syscall  does  not  require  root  privileges, it only
	    requires that the user has read access to the target and is  owner
	    of the  mount point.   For such  mounts, the  `nosuid' and `nodev'
	    flags, which disable set-id  executables and device special  files
	    respectively, are automatically handled by the mount system  call,
	    but not the `noexec' flag,  which disables the ability to  execute
	    binaries on this partition.  This allows a regular user to perform
	    a mount on a mount point  he owns, and then execute binaries  from
	    this  mount  point,  even  if  the  mount point was initially in a
	    sub-tree  of  the  global  filesystem  mounted  with  the `noexec'
	    option.  The  easiest way to  bypass a `noexec'  restriction is to
	    use a nullfs mount,  but a NFS mount,  or a mount from  a readable
	    block device can allow it as  well.  Thanks goes to Manuel  Bouyer
	    for the solution.
SOLUTION
	    A patch is  available for the  NetBSD 1.3.3 which  makes the mount
	    system call inherit the `noexec'  flag from the mount point.   You
	    may find this patch on the NetBSD ftp server:
	
	        ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/19990317-mount
	
	    NetBSD-current  since  19990318  is  not  vulnerable.   Users   of
	    NetBSD-current  should  upgrade  to  a  source  tree  later   than
	    19990318.