[Pkg-samba-maint] [Samba-pkg-sec] CVE-2009-2813 & CVE-2009-2948
bubulle at debian.org
Tue Sep 29 17:29:07 UTC 2009
Quoting Karolin Seeger (kseeger at samba.org):
> Samba 3.0.37, 3.2.15, 3.3.8 and 3.4.2 are scheduled for tomorrow, September 29,
> in order to address CVE-2009-2948 ("Information disclosure by setuid
> mount.cifs") and CVE-2009-2813 ("Misconfigured /etc/passwd file may share
> folders unexpectedly").
> Please find attached both advisories and patches for Samba 3.0.36, 3.2.14, 3.3.7
> and 3.4.1.
> Sorry for the short-term notification, but both issues are public.
For the record, I made a (quite short) attempt to work on 3.2.5 Debian
packages yesterday (they are our priority as this is what we ship in
Unfortunately, samba-3.2.14-CVE-2009-2948-2.patch fails to apply (the
last chunk does not seem to correspond to existing code in
mount.cifs.c)....and compiling with the missing chunk fails:
client/mount.cifs.c: In function 'get_password_from_file':
client/mount.cifs.c:324: error: 'EX_SYSERR' undeclared (first use in this function)
client/mount.cifs.c:324: error: (Each undeclared identifier is reported only once
client/mount.cifs.c:324: error: for each function it appears in.)
The following command failed:
gcc -I. -I/tmp/buildd/samba-3.2.5/source -O -D_SAMBA_BUILD_=3 -I/tmp/buildd/samba-3.2.5/source/iniparser/src -Iinclude -I./include -I. -I. -I./lib/replace -I./lib/talloc -I./lib/tdb/include -I./libaddns -I./librpc -DHAVE_CONFIG_H -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -Iinclude -I./include -I. -I. -I./lib/replace -I./lib/talloc -I./lib/tdb/include -I./libaddns -I./librpc -I./popt -DLDAP_DEPRECATED -I/include -I/tmp/buildd/samba-3.2.5/source/lib -D_SAMBA_BUILD_=3 -fPIC -c client/mount.cifs.c -o client/mount.cifs.o
make: *** [client/mount.cifs.o] Error 1
make: Leaving directory `/tmp/buildd/samba-3.2.5/source'
make: *** [build-stamp] Error 2
dpkg-buildpackage: failure: debian/rules build gave error exit status
I briefly talked to Steve on IRC and he mentioned he'll try to look at
this "this evening" (which means now according to our timezone
differences)....but any help might be appreciated.
For other Debian packaging team members, I attach the patch tarball.
For Karolin, you might be interested in knowing that the 3.2 patches
do not necessarily apply to any 3.2 version (other vendors may report
----- End forwarded message -----
More information about the Pkg-samba-maint