Samba Team Information for VU#670568

Samba creates temporary files insecurely

Status

Affected

Vendor Statement

The recent Samba 2.0.8 security fix release did NOT fix the security hole in Samba 2.0.7. I have now released Samba 2.0.9 to fix this.

Many thanks to Marc Jacobsen from HP for pointing out the error, and apologies from the Samba Team for any inconvenience.

Note that the 2.2.0 release did fix the bug, so if you have installed that release then you can ignore this message.

The 2.0.9 release is available at
ftp://ftp.samba.org/pub/samba/samba-2.0.9.tar.gz
the patch is available at:
ftp://ftp.samba.org/pub/samba/patches/samba-2.0.8-2.0.9.diffs.gz

The 2.2.0 release is available at:
ftp://ftp.samba.org/pub/samba/samba-2.2.0.tar.gz

We do not plan on doing any more releases of Samba 2.0.x.

Distribution vendors have been notified about the error and will be doing new releases shortly.
- - - - - - - - - -
The bug was introduced into the CVS tree on June 27th 1997. That means all versions from (and including) 1.9.17alpha4 are vulnerable. Amazingly, the bug went undetected through several security audits by various companies over the last 4 years.

The impact of the bug varies a little between versions. In the 2.0.7 release the exploit is only easy (and perhaps only possible, but I won't guarantee it) if you are exporting printer shares. In either case, we consider it a serious enough risk that all sites should upgrade as soon as possible, especially if you have untrusted users with shell accounts.

Note that the bug is not a race condition. Given the right conditions the exploit will be successful first time every time. (ie. it is not a classic mktemp race)

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.