From Ubuntu's changelog:
  * utils/statd/statd.c (patch from SGI):
   - drop_privs(): fix uninitialized st.st_gid value when running as root
     (not exploitable, but using random group ids might be confusing)
  * utils/rquotad/rquota_server.c (Arjan van de Ven):
    - getquotainfo(): do not use memcpy() to copy
      values from struct dqblk to struct rquota; on 64 bit architectures time_t
      is 64 bits wide, but the target fields are only 32 bit, thus causing a
      buffer overflow
    - CAN-2004-0946

--- nfs-utils-1.0.6.orig/utils/statd/statd.c
+++ nfs-utils-1.0.6/utils/statd/statd.c
@@ -179,8 +179,10 @@
 	struct stat st;
 
 	if (stat(SM_DIR, &st) == -1 &&
-	    stat(DIR_BASE, &st) == -1)
+	    stat(DIR_BASE, &st) == -1) {
 		st.st_uid = 0;
+		st.st_gid = 0;
+	}
 
 	if (st.st_uid == 0) {
 		note(N_WARNING, "statd running as root. chown %s to choose different user\n",
--- nfs-utils-1.0.6.orig/utils/rquotad/rquota_server.c
+++ nfs-utils-1.0.6/utils/rquotad/rquota_server.c
@@ -76,6 +76,7 @@
    char *pathname, *qfpathname;
    int fd, err, id, type;
    struct stat stm, stn;
+   struct rquota *rquota;
 
    /*
     * First check authentication.
@@ -168,8 +169,16 @@
           * Make a copy of the info into the last part of the remote quota
           * struct which is exactly the same.
           */
-         memcpy((caddr_t *)&result.getquota_rslt_u.gqr_rquota.rq_bhardlimit,
-                (caddr_t *)&dq_dqb, sizeof(struct dqblk));
+
+         rquota = &result.getquota_rslt_u.gqr_rquota;
+         rquota->rq_bhardlimit = dq_dqb.dqb_bhardlimit;
+         rquota->rq_bsoftlimit = dq_dqb.dqb_bsoftlimit;;
+         rquota->rq_curblocks = dq_dqb.dqb_curblocks;
+         rquota->rq_fhardlimit = dq_dqb.dqb_ihardlimit;
+         rquota->rq_fsoftlimit = dq_dqb.dqb_isoftlimit;
+         rquota->rq_curfiles = dq_dqb.dqb_curinodes;
+         rquota->rq_btimeleft = dq_dqb.dqb_btime;
+         rquota->rq_ftimeleft = dq_dqb.dqb_itime;
 
          return(&result);
       }