OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Progeny Security Team (securityPROGENY.COM)
Date: Wed Apr 18 2001 - 13:03:54 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

     ---------------------------------------------------------------------------
     PROGENY LINUX SYSTEMS -- SECURITY ADVISORY PROGENY-SA-2001-05
     ---------------------------------------------------------------------------

        Topic: Samba /tmp vulnerabilities

        Category: net
        Modules: samba smbclient
        Announced: 2001-04-18
        Credits: Marcus Meissner <Marcus.Meissnercaldera.de>
        Affects: Progeny Debian (samba, smbclient prior to 2.0.7-3.2)
                        Debian GNU/Linux (samba, smbclient prior to 2.0.7-3.2)
        Vendor-Status: New Version Released
                        (samba_2.0.7-3.2, smbclient_2.0.7-3.2)
        Corrected: 2001-04-18
        Progeny Only: NO

        $Id: PROGENY-SA-2001-05,v 1.11 2001/04/18 17:53:55 jdaily Exp $

     ---------------------------------------------------------------------------

    SYNOPSIS

    smbclient and samba use /tmp files in an insecure manner, allowing
    local users to overwrite files to which they would ordinarily not have
    access.

    PROBLEM DESCRIPTION

    Marcus Meissner discovered that Samba was not creating temporary
    files safely. This happened in two places:

    * When a remote user queried a printer queue, samba would create a
      temporary file in which the queue's data would be written. This was
      using a predictable filename, and doing it insecurely, allowing a
      local attacker to trick samba into overwriting files it shouldn't.

    * The smbclient "more" and "mput" commands also created temporary
      files in /tmp insecurely.

    Both problems have been fixed in version 2.0.7-3.2. We recommend
    that you upgrade your samba package immediately.

    IMPACT

    Local users can overwrite system files, causing corruption and
    potentially gaining root access.

    SOLUTION

    Upgrade to a fixed version of samba. Samba versions 2.0.8 and 2.2.0
    correct the problem. For your convenience, you may upgrade to the
    packages smbclient_2.0.7-3.2, samba-common_2.0.7-3.2, and
    samba_2.0.7-3.2.

    WORKAROUND

    No known workaround exists for this vulnerability.

    UPDATING VIA APT-GET

     1. Ensure that your /etc/apt/sources.list file has a URI for Progeny's
        update repository:

            deb http://archive.progeny.com/progeny updates/newton/

     2. Update your cache of available packages for apt(8).

        Example:

            # apt-get update

     3. Using apt(8), install the new package. apt(8) will download the
        update, verify its integrity with md5, and then install the
        package on your system with dpkg(8).

        Example:

            # apt-get install samba smbclient

    UPDATING VIA DPKG

     1. Using your preferred FTP/HTTP client to retrieve the following
        updated files from Progeny's update archive at:

        http://archive.progeny.com/progeny/updates/newton/

        Filename MD5 Checksum
        ------------------------------------ --------------------------------
        samba-common_2.0.7-3.2_i386.deb 7eabad23b6c221ec3cb50e6b41a7de99
        samba_2.0.7-3.2_i386.deb 36fbb1a508503bc9c0844b5f98f98264
        smbclient_2.0.7-3.2_i386.deb fe8c68a7cf5499e2b665e5ac73aad3ac

        Example:

            # wget \
            http://archive.progeny.com/progeny/updates/newton/samba-common_2.0.7-3.2_i386.deb \
            http://archive.progeny.com/progeny/updates/newton/samba_2.0.7-3.2_i386.deb \
            http://archive.progeny.com/progeny/updates/newton/smbclient_2.0.7-3.2_i386.deb

     2. Use the md5sum command on the retrieved files to verify that they
        match the md5sum provided in this advisory:

        Example:

            # md5sum samba-common_2.0.7-3.2_i386.deb

     3. Then install the replacement package(s) using the dpkg command.

        Example:

            # dpkg --install samba-common_2.0.7-3.2_i386.deb \
            samba_2.0.7-3.2_i386.deb smbclient_2.0.7-3.2_i386.deb

     ---------------------------------------------------------------------------

    pub 1024D/F92D4D1F 2001-04-04 Progeny Security Team <securityprogeny.com>

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.4 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    iEYEARECAAYFAjrd1LoACgkQScF9I/ktTR9OWACfejd5JYdQVRKIXP01na06y8F/
    9vYAnA5yFCQ9oFbdW9TuhtaqYRbDOYBa
    =n/Ha
    -----END PGP SIGNATURE-----