[Pkg-samba-maint] Bug#424629: security upgrade broke permissions check.

Christian Perrier bubulle at debian.org
Fri May 18 17:28:24 UTC 2007


> I haven't looked very closely at what's going on, but I bet the problem
> is related to the fix for CVE-2007-2444, which changes the way in which
> samba gets root access when it needs it.  It switches from
> become_root_uid_only() to become_root().  The names of those functions
> suggest that previously the group membership would not change, but now
> it might.
> 
> The issue sounds like it must be upstream, not Debian-specific.  Have
> you heard anything from them?
> 
> I'm not sure what you should do for testing users (or stable, or anybody
> else), since there currently is no security-fixed version that doesn't
> break functionality.  Figuring out how we can fix this problem in stable
> is my priority.  If we can figure out a way to fix the vulnerabilities
> without breaking functionality, the secure-testing team ought to be able
> to help by uploading to testing-security.


The Samba Team just agreed in
http://lists.samba.org/archive/samba/2007-May/132056.html that this is
a bug in 3.0.25 *and probably in the security patches*, which will be
fixed in 3.0.25a.

I just asked jerry Carter for the bug's patch so that we can apply it
to 3.0.24-6etch1 and reupload a fixed version to etch.

I think that this bug deserves it. breaking shares with "force group"
will break a lot of servers. And we need to fix this quickly, imho.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20070518/3f81b29e/attachment.pgp 


More information about the Pkg-samba-maint mailing list