-----------------------------------------------------------------------
Immunix OS Security Advisory
Packages updated: samba, samba-client, samba-common
Affected products: Immunix OS 6.2, 7.0-beta, and 7.0
Bugs fixed: immunix/1649
Date: Tue Jun 26 2001
Advisory ID: IMNX-2001-70-027-01
Author: Seth Arnold <sarnold@wirex.com>
-----------------------------------------------------------------------
Description:
Michal Zalewski has found a weakness in the Samba suit of SMB protocol
(Windows and LANManager file and printer sharing) programs that allow
local and remote users to append to files writable by root, as long as
the path from /var/log/samba is no more than 15 characters long. The
easiest way to reach arbitrary files is by using a symbolic link in
/tmp; this attack is stopped on Immunix 7.0 (and 6.2 with our kernel
updates) because they use Solar Designer's Openwall kernel patch.
However, users with sufficiently short usernames could use their own
home directories for symlinks.
The problem can be mitigated by removing all references to %m from the
samba configuration file, /etc/samba/smb.conf until upgrading.
We suggest upgrading immediately.
Thanks to Michal Zalewski for finding this problem, and thanks to the
Samba team for their rapid response.
References:
http://us1.samba.org/samba/whatsnew/macroexploit.html
http://www.securityfocus.com/archive/1/193027
http://www.securityfocus.com/archive/1/193501
Package names and locations:
Precompiled binary packages for Immunix 6.2 are available at:
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/samba-2.0.10-1_StackGuard_1.i386.rpm
http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/samba-client-2.0.10-1_StackGuard_1.i386.rpmhttp://download.immunix.org/ImmunixOS/6.2/updates/RPMS/samba-common-2.0.10-1_StackGuard_1.i386.rpm
Source packages for Immunix 6.2 are available at:
http://download.immunix.org/ImmunixOS/6.2/updates/SRPMS/samba-2.0.10-1_StackGuard_1.src.rpm
Precompiled binary packages for Immunix 7.0-beta and 7.0 are available at:
http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/samba-2.0.10-1_imnx_1.i386.rpm
http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/samba-client-2.0.10-1_imnx_1.i386.rpm
http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/samba-common-2.0.10-1_imnx_1.i386.rpm
Source package for Immunix 7.0-beta and 7.0 is available at:
http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/samba-2.0.10-1_imnx_1.src.rpm
Immunix OS 6.2 md5sums:
da6b34ebc720c502eaf66a9b36ee12c4 RPMS/samba-2.0.10-1_StackGuard_1.i386.rpm
09c1252a93695157ee01574b668d34fc RPMS/samba-client-2.0.10-1_StackGuard_1.i386.rpm
e097092969435a751c038c4fd6ceb81b RPMS/samba-common-2.0.10-1_StackGuard_1.i386.rpm
627fa90d8de54f3c57d45621101c25cc SRPMS/samba-2.0.10-1_StackGuard_1.src.rpm
Immunix OS 7.0 md5sums:
1037179f0e7c33ade98d502e073922f7 RPMS/samba-2.0.10-1_imnx_1.i386.rpm
66a119a79bea0b44ff99556ecd94eceb RPMS/samba-client-2.0.10-1_imnx_1.i386.rpm
285625cf5281cbb01d6f885bc54f493f RPMS/samba-common-2.0.10-1_imnx_1.i386.rpm
080ea9972bde36576adf780df5c314a0 SRPMS/samba-2.0.10-1_imnx_1.src.rpm
GPG verification:
Our public key is available at <http://wirex.com/security/GPG_KEY>.
*** NOTE *** This key is different from the one used in advisories
IMNX-2001-70-020-01 and earlier.
Online version of all Immunix 6.2 updates and advisories:
http://immunix.org/ImmunixOS/6.2/updates/
Online version of all Immunix 7.0-beta updates and advisories:
http://immunix.org/ImmunixOS/7.0-beta/updates/
Online version of all Immunix 7.0 updates and advisories:
http://immunix.org/ImmunixOS/7.0/updates/
NOTE:
Ibiblio is graciously mirroring our updates, so if the links above are
slow, please try:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
or one of the many mirrors available at:
http://www.ibiblio.org/pub/Linux/MIRRORS.html
Contact information:
To report vulnerabilities, please contact security@wirex.com. WireX
attempts to conform to the RFP vulnerability disclosure protocol
<http://www.wiretrip.net/rfp/policy.html>.
This archive was generated by hypermail 2b30 : Wed Jun 27 2001 - 21:52:32 CEST