[Pkg-samba-maint] Bug#568493: samba: zero-day remote access exploit

Steve Langasek vorlon at debian.org
Fri Feb 5 07:18:18 UTC 2010


severity 568493 important
thanks

On Fri, Feb 05, 2010 at 01:07:14AM -0500, Michael Gilbert wrote:
> package: samba
> version: 2:3.4.5~dfsg-1
> severity: critical

> hi, a zero-day remote access exploit has been demonstrated using a
> vulnerability in samba [0].  the only info to go on right now is a
> rather blurry video demonstrating the exploit in action as well as the
> code modified. i know this isn't a lot to go on, but hopefully its
> enough info to figure out the problem.

> mike

> [0] http://seclists.org/fulldisclosure/2010/Feb/82

Why are you presuming to file critical-severity bugs for an unconfirmed
vulnerability if you can't even give a description of what that
vulnerability is?  There's nothing critical here; the video shows that, if
you allow untrusted users anonymous access to a Samba share, they can read
any files on the system that your guest user (i.e., user 'nobody') can read.

That's a bug, it should be fixed, but its impact isn't release-critical.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20100204/cafe602b/attachment.pgp>


More information about the Pkg-samba-maint mailing list