[Pkg-samba-maint] Bug#424629: security upgrade broke permissions check

Thu May 17 10:22:28 UTC 2007

On Wed, May 16, 2007 at 06:23:38PM +0200, Christian Perrier wrote:
> Hmmm, OK, that's enough. There are now enough such issues raised to
> prevent us to allow 3.0.25-1 to migrate to testing too quickly, until
> all this is examined.
> 
> As a consequence, I raise the severity of this bug report to make it
> RC. There are probably very few chances that samba migrates to testing
> quickly, because of an untransitioned libc6, but better be careful.
> 
> Other samba maintainers and security team: do you think we should do
> somethign for users of testing? They're left without a decent answer
> to the recent security issues if 3.0.25-1 does not enter testing,
> unless they have the etch security updates listed in their
> sources.list

I haven't looked very closely at what's going on, but I bet the problem
is related to the fix for CVE-2007-2444, which changes the way in which
samba gets root access when it needs it.  It switches from
become_root_uid_only() to become_root().  The names of those functions
suggest that previously the group membership would not change, but now
it might.

The issue sounds like it must be upstream, not Debian-specific.  Have
you heard anything from them?

I'm not sure what you should do for testing users (or stable, or anybody
else), since there currently is no security-fixed version that doesn't
break functionality.  Figuring out how we can fix this problem in stable
is my priority.  If we can figure out a way to fix the vulnerabilities
without breaking functionality, the secure-testing team ought to be able
to help by uploading to testing-security.

noah

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20070517/5c7b9954/attachment.pgp 