![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: Kurt Seifried <seifried@SECURITYPORTAL.COM>
To: LINUX-SECURITY@LISTSERV.SECURITYPORTAL.COM
Subject: LSLID:2001050814 - ImmunixOS - samba - IMNX-2001-70-019-01
Date: Tue, 8 May 2001 21:41:42 -0600
LSLID:2001050814
-----------------------------------------------------------------------
Immunix OS Security Advisory
Packages updated: samba
Affected products: Immunix OS 6.2, 7.0-beta, and 7.0
Bugs Fixed: immunix/1595
Date: May 8, 2001
Advisory ID: IMNX-2001-70-019-01
Author: Greg Kroah-Hartman <greg@wirex.com>
-----------------------------------------------------------------------
Description:
A temp file race has been found in the all release of samba prior to
2.0.9. This could allow any local malicious user to get administrator
privileges on a machine running samba. The Samba team has released a
patch to fix this.
The following packages fix this problem.
Package names and locations:
Precompiled binary packages for Immunix 6.2 are available at:
http://immunix.org/ImmunixOS/6.2/updates/RPMS/samba-2.0.8-1_StackGuard_1.i386.
rpm
http://immunix.org/ImmunixOS/6.2/updates/RPMS/samba-client-2.0.8-1_StackGuard_
1.i386.rpm
http://immunix.org/ImmunixOS/6.2/updates/RPMS/samba-common-2.0.8-1_StackGuard_
1.i386.rpm
Source package for Immunix 6.2 is available at:
http://immunix.org/ImmunixOS/6.2/updates/SRPMS/samba-2.0.8-1_StackGuard_1.src.
rpm
Precompiled binary packages for Immunix 7.0-beta and 7.0 are available at:
http://immunix.org/ImmunixOS/7.0/updates/RPMS/samba-2.0.8-1_imnx_1.i386.rpm
http://immunix.org/ImmunixOS/7.0/updates/RPMS/samba-client-2.0.8-1_imnx_1.i386
.rpm
http://immunix.org/ImmunixOS/7.0/updates/RPMS/samba-common-2.0.8-1_imnx_1.i386
.rpm
Source package for Immunix 7.0-beta and 7.0 is available at:
http://immunix.org/ImmunixOS/7.0/updates/SRPMS/samba-2.0.8-1_imnx_1.src.rpm
md5sums of the packages:
815f374ddce259f675cf419d1af8494a samba-2.0.8-1_StackGuard_1.i386.rpm
4a555fdd722a26daa3070b0bbc954797 samba-client-2.0.8-1_StackGuard_1.i386.rpm
653dbfeddb84886f2e0004c5bb18fee9 samba-common-2.0.8-1_StackGuard_1.i386.rpm
1cbacbb5080c209a0c3af8c615eed528 samba-2.0.8-1_StackGuard_1.src.rpm
9110c5a65b0509f7c99b4bcedbe6f88a samba-2.0.8-1_imnx_1.i386.rpm
bdf447deea150aa62e2f8fcbfffbcaee samba-client-2.0.8-1_imnx_1.i386.rpm
fb48e8fe22f98ad2c48a1e981054d942 samba-common-2.0.8-1_imnx_1.i386.rpm
dba71feca9def9b40f88d5d33efdf4ff samba-2.0.8-1_imnx_1.src.rpm
Online version of all Immunix 6.2 updates and advisories:
http://immunix.org/ImmunixOS/6.2/updates/
Online version of all Immunix 7.0-beta updates and advisories:
http://immunix.org/ImmunixOS/7.0-beta/updates/
Online version of all Immunix 7.0 updates and advisories:
http://immunix.org/ImmunixOS/7.0/updates/
NOTE:
Ibiblio is graciously mirroring our updates, so if the links above are
slow, please try:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
or one of the many mirrors available at:
http://www.ibiblio.org/pub/Linux/MIRRORS.html
From linux-security-admin@lists.securityportal.com Tue Jun 26 19:03:28 2001
Return-Path: <linux-security-admin@lists.securityportal.com>
Received: from localhost (IDENT:cool@io [127.0.0.1])
by jelly.lwn.net (8.9.3/8.9.3) with ESMTP id TAA03234
for <cool@localhost>; Tue, 26 Jun 2001 19:03:28 -0600
Delivered-To: cool@lwn.net
Received: from vena.lwn.net [206.168.112.25]
by localhost with POP3 (fetchmail-5.5.0)
for cool@localhost (single-drop); Tue, 26 Jun 2001 19:03:28 -0600 (MDT)
Received: (qmail 23062 invoked by uid 1013); 27 Jun 2001 01:03:08 -0000
Delivered-To: lwn-sp@lwn.net
Received: (qmail 23058 invoked from network); 27 Jun 2001 01:03:08 -0000
Received: from unknown (HELO dug.cryptoarchive.net) (64.40.109.48)
by vena.lwn.net with SMTP; 27 Jun 2001 01:03:08 -0000
Received: from dug.cryptoarchive.net (localhost [127.0.0.1])
by dug.cryptoarchive.net (Postfix) with ESMTP
id DB37DDBA3D; Tue, 26 Jun 2001 16:58:02 -0700 (PDT)
Delivered-To: linux-security@lists.securityportal.com
Received: from blue.int.wirex.com (cerebus.wirex.com [216.161.55.93])
by dug.cryptoarchive.net (Postfix) with ESMTP id AC561DBA36
for <linux-security@lists.securityportal.com>; Tue, 26 Jun 2001 16:50:49 -0700 (PDT)
Received: (from sarnold@localhost)
by blue.int.wirex.com (8.11.0/8.11.0) id f5R0mbp24256
for linux-security@lists.securityportal.com; Tue, 26 Jun 2001 17:48:37 -0700
From: Immunix Security Team <security@wirex.com>
To: linux-security@lists.securityportal.com
Message-ID: <20010626174837.N4196@wirex.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="fU5tsrXreH0/dVH0"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Subject: [linsec] samba update -- Immunix OS 6.2, 7.0-beta, 7.0
Sender: linux-security-admin@lists.securityportal.com
Errors-To: linux-security-admin@lists.securityportal.com
X-BeenThere: linux-security@lists.securityportal.com
X-Mailman-Version: 2.0.4
Precedence: bulk
Reply-To: linux-security@lists.securityportal.com
List-Help: <mailto:linux-security-request@lists.securityportal.com?subject=help>
List-Post: <mailto:linux-security@lists.securityportal.com>
List-Subscribe: <https://lists.securityportal.com/mailman/listinfo/linux-security>,
<mailto:linux-security-request@lists.securityportal.com?subject=subscribe>
List-Id: Linux security announcements <linux-security.lists.securityportal.com>
List-Unsubscribe: <https://lists.securityportal.com/mailman/listinfo/linux-security>,
<mailto:linux-security-request@lists.securityportal.com?subject=unsubscribe>
List-Archive: <https://lists.securityportal.com/pipermail/linux-security/>
Date: Tue, 26 Jun 2001 17:48:37 -0700
Status: RO
Content-Length: 5014
Lines: 134
--fU5tsrXreH0/dVH0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
-----------------------------------------------------------------------
Immunix OS Security Advisory
Packages updated: samba, samba-client, samba-common
Affected products: Immunix OS 6.2, 7.0-beta, and 7.0
Bugs fixed: immunix/1649
Date: Tue Jun 26 2001
Advisory ID: IMNX-2001-70-027-01
Author: Seth Arnold <sarnold@wirex.com>
-----------------------------------------------------------------------
Description:
Michal Zalewski has found a weakness in the Samba suit of SMB protocol
(Windows and LANManager file and printer sharing) programs that allow
local and remote users to append to files writable by root, as long as
the path from /var/log/samba is no more than 15 characters long. The
easiest way to reach arbitrary files is by using a symbolic link in
/tmp; this attack is stopped on Immunix 7.0 (and 6.2 with our kernel
updates) because they use Solar Designer's Openwall kernel patch.
However, users with sufficiently short usernames could use their own
home directories for symlinks.
The problem can be mitigated by removing all references to %m from the
samba configuration file, /etc/samba/smb.conf until upgrading.
We suggest upgrading immediately.
Thanks to Michal Zalewski for finding this problem, and thanks to the
Samba team for their rapid response.
References:
http://us1.samba.org/samba/whatsnew/macroexploit.html
http://www.securityfocus.com/archive/1/193027
http://www.securityfocus.com/archive/1/193501
Package names and locations:
Precompiled binary packages for Immunix 6.2 are available at:
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/samba-2.0.10-1_Sta=
ckGuard_1.i386.rpm
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/samba-client-2.0.1=
0-1_StackGuard_1.i386.rpmhttp://download.immunix.org/ImmunixOS/6.2/updates/=
RPMS/samba-common-2.0.10-1_StackGuard_1.i386.rpm
Source packages for Immunix 6.2 are available at:
http://download.immunix.org/ImmunixOS/6.2/updates/SRPMS/samba-2.0.10-1_St=
ackGuard_1.src.rpm
Precompiled binary packages for Immunix 7.0-beta and 7.0 are available at:
http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/samba-2.0.10-1_imn=
x_1.i386.rpm
http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/samba-client-2.0.1=
0-1_imnx_1.i386.rpm
http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/samba-common-2.0.1=
0-1_imnx_1.i386.rpm
Source package for Immunix 7.0-beta and 7.0 is available at:
http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/samba-2.0.10-1_im=
nx_1.src.rpm
Immunix OS 6.2 md5sums:
da6b34ebc720c502eaf66a9b36ee12c4 RPMS/samba-2.0.10-1_StackGuard_1.i386.r=
pm
09c1252a93695157ee01574b668d34fc RPMS/samba-client-2.0.10-1_StackGuard_1=
.i386.rpm
e097092969435a751c038c4fd6ceb81b RPMS/samba-common-2.0.10-1_StackGuard_1=
.i386.rpm
627fa90d8de54f3c57d45621101c25cc SRPMS/samba-2.0.10-1_StackGuard_1.src.r=
pm
Immunix OS 7.0 md5sums:
1037179f0e7c33ade98d502e073922f7 RPMS/samba-2.0.10-1_imnx_1.i386.rpm
66a119a79bea0b44ff99556ecd94eceb RPMS/samba-client-2.0.10-1_imnx_1.i386.=
rpm
285625cf5281cbb01d6f885bc54f493f RPMS/samba-common-2.0.10-1_imnx_1.i386.=
rpm
080ea9972bde36576adf780df5c314a0 SRPMS/samba-2.0.10-1_imnx_1.src.rpm
GPG verification: =
=20
Our public key is available at <http://wirex.com/security/GPG_KEY>. =
=20
*** NOTE *** This key is different from the one used in advisories =
=20
IMNX-2001-70-020-01 and earlier.
Online version of all Immunix 6.2 updates and advisories:
http://immunix.org/ImmunixOS/6.2/updates/
Online version of all Immunix 7.0-beta updates and advisories:
http://immunix.org/ImmunixOS/7.0-beta/updates/
Online version of all Immunix 7.0 updates and advisories:
http://immunix.org/ImmunixOS/7.0/updates/
NOTE:
Ibiblio is graciously mirroring our updates, so if the links above are
slow, please try:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
or one of the many mirrors available at:
http://www.ibiblio.org/pub/Linux/MIRRORS.html
Contact information:
To report vulnerabilities, please contact security@wirex.com. WireX=20
attempts to conform to the RFP vulnerability disclosure protocol
<http://www.wiretrip.net/rfp/policy.html>.
--fU5tsrXreH0/dVH0
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjs5LWUACgkQVQcWL60UVMsUqgCdH6yixUPUyGgUZ+Ug98Y0G/nV
USMAn2GC9gUiQr8eYhbI+jj3enHyYj43
=sSXK
-----END PGP SIGNATURE-----
--fU5tsrXreH0/dVH0--
_______________________________________________
linux-security mailing list
linux-security@lists.securityportal.com
https://lists.securityportal.com/mailman/listinfo/linux-security
http://www.securityportal.com/list/linux-security/