[Pkg-samba-maint] Bug#567554: Bug#567554: Privilege escalation in mount.cifs
Christian PERRIER
bubulle at debian.org
Sun Jan 31 12:09:22 UTC 2010
Quoting Moritz Muehlenhoff (jmm at debian.org):
> Package: smbfs
> Severity: grave
> Tags: security
>
> This is CVE-2009-3297:
> https://bugzilla.samba.org/show_bug.cgi?id=6853
>
> /usr/share/doc/smbfs/TODO.Debian states:
> There is concern about the setuid status of binaries in this package.
> The audit status of the concerned binaries is unclear. We should
> figure out whether it is reasonable to provide the flexible user mount
> capabilities or whether a more restricted setup is better, at least by
> default.
>
> Given that Jeremy Allison writes in the bug above you should probably
> drop the setuid for Squeeze:
My concern here is that it would definitely be a regression for users
who rely on user mounting of CIFS volumes.
A compromise could be a debconf question about adding the setuid bit
to mount.cifs (with a default to False, of course).
Steve, your advice?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20100131/e1236e4e/attachment.pgp>
More information about the Pkg-samba-maint
mailing list