[Pkg-samba-maint] Bug#568493: samba: zero-day remote access exploit
Steve Langasek
vorlon at debian.org
Fri Feb 5 07:18:18 UTC 2010
severity 568493 important
thanks
On Fri, Feb 05, 2010 at 01:07:14AM -0500, Michael Gilbert wrote:
> package: samba
> version: 2:3.4.5~dfsg-1
> severity: critical
> hi, a zero-day remote access exploit has been demonstrated using a
> vulnerability in samba [0]. the only info to go on right now is a
> rather blurry video demonstrating the exploit in action as well as the
> code modified. i know this isn't a lot to go on, but hopefully its
> enough info to figure out the problem.
> mike
> [0] http://seclists.org/fulldisclosure/2010/Feb/82
Why are you presuming to file critical-severity bugs for an unconfirmed
vulnerability if you can't even give a description of what that
vulnerability is? There's nothing critical here; the video shows that, if
you allow untrusted users anonymous access to a Samba share, they can read
any files on the system that your guest user (i.e., user 'nobody') can read.
That's a bug, it should be fixed, but its impact isn't release-critical.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20100204/cafe602b/attachment.pgp>
More information about the Pkg-samba-maint
mailing list