[Pkg-samba-maint] Bug#418587: samba: Improper handling of /../ pathnames in smb.conf

Tue Apr 10 17:22:52 UTC 2007

Package: samba
Version: 3.0.24-6
Severity: normal

Samba improperly handles /../ in directory paths both when directly specified
in the config file or obtained from a variable like %H. A string like
`TopDir/Subdir1/../Subdir2` will be converted to `TopDirSubdir2` which is
pretty far from what is desired. The bug was initially reported upstream
in version 3.0.23c (https://bugzilla.samba.org/show_bug.cgi?id=4155) about
8 months ago, but the bug is still present in the latest version. 

Note: A use case where a path might contain /../ is a system with user home
directories modified according to the passwd_chroot_enable option of vsftpd.
With a homedir of `/home/webspace/<user>/./../../<user>` the samba %H variable
becomes useless.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.18.6.th5
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages samba depends on:
ii  debconf  1.5.13                          Debian configuration management sy
ii  libacl1  2.2.42-1                        Access control list shared library
ii  libattr1 1:2.4.32-1.1                    Extended attribute shared library
ii  libc6    2.3.6.ds1-13                    GNU C Library: Shared libraries
ii  libcomer 1.39+1.40-WIP-2006.11.14+dfsg-2 common error description library
ii  libcupsy 1.2.7-4                         Common UNIX Printing System(tm) - 
ii  libgnutl 1.4.4-3                         the GNU TLS library - runtime libr
ii  libkrb53 1.4.4-8                         MIT Kerberos runtime libraries
ii  libldap2 2.1.30-13.4                     OpenLDAP libraries
ii  libpam-m 0.79-4                          Pluggable Authentication Modules f
ii  libpam-r 0.79-4                          Runtime support for the PAM librar
ii  libpam0g 0.79-4                          Pluggable Authentication Modules l
ii  libpopt0 1.10-3                          lib for parsing cmdline parameters
ii  logrotat 3.7.1-3                         Log rotation utility
ii  lsb-base 3.1-23.1                        Linux Standard Base 3.1 init scrip
ii  netbase  4.29                            Basic TCP/IP networking system
ii  procps   1:3.2.7-3                       /proc file system utilities
ii  samba-co 3.0.24-6                        Samba common files used by both th
ii  zlib1g   1:1.2.3-13                      compression library - runtime

Versions of packages samba recommends:
pn  smbldap-tools                 <none>     (no description available)

-- debconf information excluded