[Pkg-samba-maint] Bug#568493: samba: zero-day remote access exploit

[Michael Gilbert]

On Thu, 4 Feb 2010 23:18:18 -0800, Steve Langasek wrote:
> severity 568493 important
> thanks
> 
> On Fri, Feb 05, 2010 at 01:07:14AM -0500, Michael Gilbert wrote:
> > package: samba
> > version: 2:3.4.5~dfsg-1
> > severity: critical
> 
> > hi, a zero-day remote access exploit has been demonstrated using a
> > vulnerability in samba [0].  the only info to go on right now is a
> > rather blurry video demonstrating the exploit in action as well as the
> > code modified. i know this isn't a lot to go on, but hopefully its
> > enough info to figure out the problem.
> 
> > mike
> 
> > [0] http://seclists.org/fulldisclosure/2010/Feb/82
> 
> Why are you presuming to file critical-severity bugs for an unconfirmed
> vulnerability if you can't even give a description of what that
> vulnerability is?

when issues are disclosed, they should be tracked so they can be
fixed; regardless of how much information is presently available, or
whether it has been "confirmed", by which i think you actually mean
reproduced.  the only way to consider this unconfirmed is if the video
were faked, which is a possibility.  however, we should err on the side
of caution and assume that it is real until proven otherwise.

debian bug severity critical:
  [...] or introduces a security hole on systems where you install the
  package. 

> you allow untrusted users anonymous access to a Samba share, they can read
> any files on the system that your guest user (i.e., user 'nobody') can read.

no, if you watch the video closely (also see [0]), you can see that they
have read access to pretty much any file on the system
(i.e. /etc/passwd) and write access to any location writable by the
account they connect under. 

> That's a bug, it should be fixed, but its impact isn't release-critical.

it's your call, but i disagree.

mike

[0] http://seclists.org/fulldisclosure/2010/Feb/99