From: Kurt Seifried <seifried@SECURITYPORTAL.COM> To: LINUX-SECURITY@LISTSERV.SECURITYPORTAL.COM Subject: LSLID:2001050814 - ImmunixOS - samba - IMNX-2001-70-019-01 Date: Tue, 8 May 2001 21:41:42 -0600 LSLID:2001050814 ----------------------------------------------------------------------- Immunix OS Security Advisory Packages updated: samba Affected products: Immunix OS 6.2, 7.0-beta, and 7.0 Bugs Fixed: immunix/1595 Date: May 8, 2001 Advisory ID: IMNX-2001-70-019-01 Author: Greg Kroah-Hartman <greg@wirex.com> ----------------------------------------------------------------------- Description: A temp file race has been found in the all release of samba prior to 2.0.9. This could allow any local malicious user to get administrator privileges on a machine running samba. The Samba team has released a patch to fix this. The following packages fix this problem. Package names and locations: Precompiled binary packages for Immunix 6.2 are available at: http://immunix.org/ImmunixOS/6.2/updates/RPMS/samba-2.0.8-1_StackGuard_1.i386. rpm http://immunix.org/ImmunixOS/6.2/updates/RPMS/samba-client-2.0.8-1_StackGuard_ 1.i386.rpm http://immunix.org/ImmunixOS/6.2/updates/RPMS/samba-common-2.0.8-1_StackGuard_ 1.i386.rpm Source package for Immunix 6.2 is available at: http://immunix.org/ImmunixOS/6.2/updates/SRPMS/samba-2.0.8-1_StackGuard_1.src. rpm Precompiled binary packages for Immunix 7.0-beta and 7.0 are available at: http://immunix.org/ImmunixOS/7.0/updates/RPMS/samba-2.0.8-1_imnx_1.i386.rpm http://immunix.org/ImmunixOS/7.0/updates/RPMS/samba-client-2.0.8-1_imnx_1.i386 .rpm http://immunix.org/ImmunixOS/7.0/updates/RPMS/samba-common-2.0.8-1_imnx_1.i386 .rpm Source package for Immunix 7.0-beta and 7.0 is available at: http://immunix.org/ImmunixOS/7.0/updates/SRPMS/samba-2.0.8-1_imnx_1.src.rpm md5sums of the packages: 815f374ddce259f675cf419d1af8494a samba-2.0.8-1_StackGuard_1.i386.rpm 4a555fdd722a26daa3070b0bbc954797 samba-client-2.0.8-1_StackGuard_1.i386.rpm 653dbfeddb84886f2e0004c5bb18fee9 samba-common-2.0.8-1_StackGuard_1.i386.rpm 1cbacbb5080c209a0c3af8c615eed528 samba-2.0.8-1_StackGuard_1.src.rpm 9110c5a65b0509f7c99b4bcedbe6f88a samba-2.0.8-1_imnx_1.i386.rpm bdf447deea150aa62e2f8fcbfffbcaee samba-client-2.0.8-1_imnx_1.i386.rpm fb48e8fe22f98ad2c48a1e981054d942 samba-common-2.0.8-1_imnx_1.i386.rpm dba71feca9def9b40f88d5d33efdf4ff samba-2.0.8-1_imnx_1.src.rpm Online version of all Immunix 6.2 updates and advisories: http://immunix.org/ImmunixOS/6.2/updates/ Online version of all Immunix 7.0-beta updates and advisories: http://immunix.org/ImmunixOS/7.0-beta/updates/ Online version of all Immunix 7.0 updates and advisories: http://immunix.org/ImmunixOS/7.0/updates/ NOTE: Ibiblio is graciously mirroring our updates, so if the links above are slow, please try: ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/ or one of the many mirrors available at: http://www.ibiblio.org/pub/Linux/MIRRORS.html From linux-security-admin@lists.securityportal.com Tue Jun 26 19:03:28 2001 Return-Path: <linux-security-admin@lists.securityportal.com> Received: from localhost (IDENT:cool@io [127.0.0.1]) by jelly.lwn.net (8.9.3/8.9.3) with ESMTP id TAA03234 for <cool@localhost>; Tue, 26 Jun 2001 19:03:28 -0600 Delivered-To: cool@lwn.net Received: from vena.lwn.net [206.168.112.25] by localhost with POP3 (fetchmail-5.5.0) for cool@localhost (single-drop); Tue, 26 Jun 2001 19:03:28 -0600 (MDT) Received: (qmail 23062 invoked by uid 1013); 27 Jun 2001 01:03:08 -0000 Delivered-To: lwn-sp@lwn.net Received: (qmail 23058 invoked from network); 27 Jun 2001 01:03:08 -0000 Received: from unknown (HELO dug.cryptoarchive.net) (64.40.109.48) by vena.lwn.net with SMTP; 27 Jun 2001 01:03:08 -0000 Received: from dug.cryptoarchive.net (localhost [127.0.0.1]) by dug.cryptoarchive.net (Postfix) with ESMTP id DB37DDBA3D; Tue, 26 Jun 2001 16:58:02 -0700 (PDT) Delivered-To: linux-security@lists.securityportal.com Received: from blue.int.wirex.com (cerebus.wirex.com [216.161.55.93]) by dug.cryptoarchive.net (Postfix) with ESMTP id AC561DBA36 for <linux-security@lists.securityportal.com>; Tue, 26 Jun 2001 16:50:49 -0700 (PDT) Received: (from sarnold@localhost) by blue.int.wirex.com (8.11.0/8.11.0) id f5R0mbp24256 for linux-security@lists.securityportal.com; Tue, 26 Jun 2001 17:48:37 -0700 From: Immunix Security Team <security@wirex.com> To: linux-security@lists.securityportal.com Message-ID: <20010626174837.N4196@wirex.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="fU5tsrXreH0/dVH0" Content-Disposition: inline User-Agent: Mutt/1.2.5i Subject: [linsec] samba update -- Immunix OS 6.2, 7.0-beta, 7.0 Sender: linux-security-admin@lists.securityportal.com Errors-To: linux-security-admin@lists.securityportal.com X-BeenThere: linux-security@lists.securityportal.com X-Mailman-Version: 2.0.4 Precedence: bulk Reply-To: linux-security@lists.securityportal.com List-Help: <mailto:linux-security-request@lists.securityportal.com?subject=help> List-Post: <mailto:linux-security@lists.securityportal.com> List-Subscribe: <https://lists.securityportal.com/mailman/listinfo/linux-security>, <mailto:linux-security-request@lists.securityportal.com?subject=subscribe> List-Id: Linux security announcements <linux-security.lists.securityportal.com> List-Unsubscribe: <https://lists.securityportal.com/mailman/listinfo/linux-security>, <mailto:linux-security-request@lists.securityportal.com?subject=unsubscribe> List-Archive: <https://lists.securityportal.com/pipermail/linux-security/> Date: Tue, 26 Jun 2001 17:48:37 -0700 Status: RO Content-Length: 5014 Lines: 134 --fU5tsrXreH0/dVH0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable ----------------------------------------------------------------------- Immunix OS Security Advisory Packages updated: samba, samba-client, samba-common Affected products: Immunix OS 6.2, 7.0-beta, and 7.0 Bugs fixed: immunix/1649 Date: Tue Jun 26 2001 Advisory ID: IMNX-2001-70-027-01 Author: Seth Arnold <sarnold@wirex.com> ----------------------------------------------------------------------- Description: Michal Zalewski has found a weakness in the Samba suit of SMB protocol (Windows and LANManager file and printer sharing) programs that allow local and remote users to append to files writable by root, as long as the path from /var/log/samba is no more than 15 characters long. The easiest way to reach arbitrary files is by using a symbolic link in /tmp; this attack is stopped on Immunix 7.0 (and 6.2 with our kernel updates) because they use Solar Designer's Openwall kernel patch. However, users with sufficiently short usernames could use their own home directories for symlinks. The problem can be mitigated by removing all references to %m from the samba configuration file, /etc/samba/smb.conf until upgrading. We suggest upgrading immediately. Thanks to Michal Zalewski for finding this problem, and thanks to the Samba team for their rapid response. References: http://us1.samba.org/samba/whatsnew/macroexploit.html http://www.securityfocus.com/archive/1/193027 http://www.securityfocus.com/archive/1/193501 Package names and locations: Precompiled binary packages for Immunix 6.2 are available at: http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/samba-2.0.10-1_Sta= ckGuard_1.i386.rpm http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/samba-client-2.0.1= 0-1_StackGuard_1.i386.rpmhttp://download.immunix.org/ImmunixOS/6.2/updates/= RPMS/samba-common-2.0.10-1_StackGuard_1.i386.rpm Source packages for Immunix 6.2 are available at: http://download.immunix.org/ImmunixOS/6.2/updates/SRPMS/samba-2.0.10-1_St= ackGuard_1.src.rpm Precompiled binary packages for Immunix 7.0-beta and 7.0 are available at: http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/samba-2.0.10-1_imn= x_1.i386.rpm http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/samba-client-2.0.1= 0-1_imnx_1.i386.rpm http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/samba-common-2.0.1= 0-1_imnx_1.i386.rpm Source package for Immunix 7.0-beta and 7.0 is available at: http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/samba-2.0.10-1_im= nx_1.src.rpm Immunix OS 6.2 md5sums: da6b34ebc720c502eaf66a9b36ee12c4 RPMS/samba-2.0.10-1_StackGuard_1.i386.r= pm 09c1252a93695157ee01574b668d34fc RPMS/samba-client-2.0.10-1_StackGuard_1= .i386.rpm e097092969435a751c038c4fd6ceb81b RPMS/samba-common-2.0.10-1_StackGuard_1= .i386.rpm 627fa90d8de54f3c57d45621101c25cc SRPMS/samba-2.0.10-1_StackGuard_1.src.r= pm Immunix OS 7.0 md5sums: 1037179f0e7c33ade98d502e073922f7 RPMS/samba-2.0.10-1_imnx_1.i386.rpm 66a119a79bea0b44ff99556ecd94eceb RPMS/samba-client-2.0.10-1_imnx_1.i386.= rpm 285625cf5281cbb01d6f885bc54f493f RPMS/samba-common-2.0.10-1_imnx_1.i386.= rpm 080ea9972bde36576adf780df5c314a0 SRPMS/samba-2.0.10-1_imnx_1.src.rpm GPG verification: = =20 Our public key is available at <http://wirex.com/security/GPG_KEY>. = =20 *** NOTE *** This key is different from the one used in advisories = =20 IMNX-2001-70-020-01 and earlier. Online version of all Immunix 6.2 updates and advisories: http://immunix.org/ImmunixOS/6.2/updates/ Online version of all Immunix 7.0-beta updates and advisories: http://immunix.org/ImmunixOS/7.0-beta/updates/ Online version of all Immunix 7.0 updates and advisories: http://immunix.org/ImmunixOS/7.0/updates/ NOTE: Ibiblio is graciously mirroring our updates, so if the links above are slow, please try: ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/ or one of the many mirrors available at: http://www.ibiblio.org/pub/Linux/MIRRORS.html Contact information: To report vulnerabilities, please contact security@wirex.com. WireX=20 attempts to conform to the RFP vulnerability disclosure protocol <http://www.wiretrip.net/rfp/policy.html>. --fU5tsrXreH0/dVH0 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjs5LWUACgkQVQcWL60UVMsUqgCdH6yixUPUyGgUZ+Ug98Y0G/nV USMAn2GC9gUiQr8eYhbI+jj3enHyYj43 =sSXK -----END PGP SIGNATURE----- --fU5tsrXreH0/dVH0-- _______________________________________________ linux-security mailing list linux-security@lists.securityportal.com https://lists.securityportal.com/mailman/listinfo/linux-security http://www.securityportal.com/list/linux-security/