[20322] in bugtraq
Re: Samba 2.0.8 security fix
daemon@ATHENA.MIT.EDU (tridge@SAMBA.ORG)
Thu Apr 19 15:57:39 2001
Message-ID: <20010419034249.65AAF5166@lists.samba.org>
Date: Wed, 18 Apr 2001 20:42:49 -0700
Reply-To: tridge@valinux.com
From: tridge@SAMBA.ORG
X-To: nick.boyce@eds.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <C1B2296C5D3ED11182DB00805F9A097E015065D8@GBHBM001>
(nick.boyce@eds.com)
> Can Tridge or anyone else confirm whether or not this bug was present in
> Samba versions earlier than 2.0.7 ?
The bug was introduced into the CVS tree on June 27th 1997. That means
all versions from (and including) 1.9.17alpha4 are
vulnerable. Amazingly, the bug went undetected through several
security audits by various companies over the last 4 years.
The impact of the bug varies a little between versions. In the 2.0.7
release the exploit is only easy (and perhaps only possible, but I
won't guarantee it) if you are exporting printer shares. In either
case, we consider it a serious enough risk that all sites should
upgrade as soon as possible, especially if you have untrusted users
with shell accounts.
Note that the bug is not a race condition. Given the right conditions
the exploit will be successful first time every time. (ie. it is not a
classic mktemp race)
Cheers, Tridge
