[Pkg-samba-maint] Bug#424629: security upgrade broke permissions check.
Christian Perrier
bubulle at debian.org
Fri May 18 17:28:24 UTC 2007
> I haven't looked very closely at what's going on, but I bet the problem
> is related to the fix for CVE-2007-2444, which changes the way in which
> samba gets root access when it needs it. It switches from
> become_root_uid_only() to become_root(). The names of those functions
> suggest that previously the group membership would not change, but now
> it might.
>
> The issue sounds like it must be upstream, not Debian-specific. Have
> you heard anything from them?
>
> I'm not sure what you should do for testing users (or stable, or anybody
> else), since there currently is no security-fixed version that doesn't
> break functionality. Figuring out how we can fix this problem in stable
> is my priority. If we can figure out a way to fix the vulnerabilities
> without breaking functionality, the secure-testing team ought to be able
> to help by uploading to testing-security.
The Samba Team just agreed in
http://lists.samba.org/archive/samba/2007-May/132056.html that this is
a bug in 3.0.25 *and probably in the security patches*, which will be
fixed in 3.0.25a.
I just asked jerry Carter for the bug's patch so that we can apply it
to 3.0.24-6etch1 and reupload a fixed version to etch.
I think that this bug deserves it. breaking shares with "force group"
will break a lot of servers. And we need to fix this quickly, imho.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20070518/3f81b29e/attachment.pgp
More information about the Pkg-samba-maint
mailing list