A vulnerability exists in the rpc.statd program which is part of the nfs-utils
packages, distributed with a number of popular Linux distributions. Because of a format
string vulnerability when calling the syslog() function a malicious remote user can
execute code as root.
The rpc.statd server is an RPC server that implements the Network Status and Monitor
RPC protocol. It's a component of the Network File System (NFS) architecture.
The logging code in rpc.statd uses the syslog() function passing it as the format
string user supplied data. A malicious user can construct a format string that injects
executable code into the process address space and overwrites a function's return
address, thus forcing the program to execute the code.
rpc.statd requires root privileges for opening its network socket, but fails to drop
these privileges later on. Thus code executed by the malicious user will execute
with root privileges.
Debian, Red Hat and Connectiva have all released advisories on this matter.
Presumably, any Linux distribution which runs the statd process is vulnerable,
unless patched for the problem.