[Pkg-samba-maint] Bug#568493: Bug#568493: samba: zero-day remote access exploit

Michael Gilbert michael.s.gilbert at gmail.com
Sat Feb 6 15:39:54 UTC 2010


On Sat, 6 Feb 2010 12:14:58 +0100 Christian PERRIER wrote:

> Quoting Michael Gilbert (michael.s.gilbert at gmail.com):
> 
> > no, if you watch the video closely (also see [0]), you can see that they
> > have read access to pretty much any file on the system
> > (i.e. /etc/passwd) and write access to any location writable by the
> > account they connect under. 
> > 
> > > That's a bug, it should be fixed, but its impact isn't release-critical.
> > 
> > it's your call, but i disagree.
> 
> In such case, I think we should let upstream do their job and
> investigate/discuss the issue...which is what happened when Jeremy
> posted in samba at lists.samba.org yesterday.
> 
> So, imho, the bug report was a little bit premature(en?) as I think
> we've already confirmed that we follow upstream development closely enough.

if i see an active exploit on one of the lists i'm following, then i am
going to report it (after all, does't "Debian does not hide problems"?);
regardless of any concept of prematurity.  you all are responsible for this
package, and if there isn't enough info yet, then you should actively go to
upstream to see what's going on, or take a look at the problem yourself.

> As of now, I understand that the planned fix is to disable wide links
> by default. In such case, I don't see much more action to have in
> Debian. Particularly, I'm unsure about fixing lenny.

if you were following upstream closely, you will have seen that "wide
links" is a band aid, and a real fix is in the works [0].

sorry if this seems rude, but i'm tired of getting snippy emails.

best wishes,
mike

[0] http://lists.samba.org/archive/samba-technical/2010-February/069200.html





More information about the Pkg-samba-maint mailing list