[Pkg-samba-maint] Bug#665923: Bug#665923: file enumeration vulnerability via mount.cifs due to early use of chdir() and error message

Nico Golde nion at debian.org
Tue Mar 27 05:15:10 UTC 2012


Hi,
* Steve Langasek <vorlon at debian.org> [2012-03-27 05:33]:
> On Tue, Mar 27, 2012 at 04:43:41AM +0200, Nico Golde wrote:
> > Hi, it was discovered that mount.cifs is doing a chdir to the specified
> > directory before the fstab file is actually checked.  Since mount.cifs is
> > (also on Debian) installed as setuid, this allows an attacker to use the
> > program to enumerate the existence of files/directories on the system by
> > checking for the existence of the error response.
> 
> > I don't have time to write a patch now or to test that, but a quick look
> > at mount.cifs.c suggests that this can be fixed just by changing the order
> > of the execution.
> 
> How does an information leak about the names of files qualify as a "grave"
> bug?  This doesn't seem consistent with
> <http://www.debian.org/Bugs/Developer#severities> to me.

Well it depends on your definition of access to accounts of users. Anyway, I 
don't have any deep feelings about this, so no need to discuss this further.

> Also, mount.cifs doesn't come from the samba source anymore; reassigning to
> cifs-utils.

I noticed that right after filing the bug and reassigned it already myself.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20120327/5a7526fd/attachment.pgp>


More information about the Pkg-samba-maint mailing list