[VIM] CVE-2008-6800 dispute: samba winbindd race condition

Steven M. Christey coley at linus.mitre.org
Fri May 22 23:32:15 UTC 2009


This CVE was created from an rPath advisory that was apparently a mis-read
of a Samba changelog comment that said "Prevent crash bug in Winbind
caused by a race condition when a child process becomes unresponsive."

- Steve


======================================================
Name: CVE-2008-6800
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6800
Reference: BUGTRAQ:20081030 rPSA-2008-0308-1 samba samba-client samba-server samba-swat
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/497941/100/0/threaded
Reference: MISC:https://issues.rpath.com/browse/RPL-2766
Reference: CONFIRM:http://wiki.rpath.com/Advisories:rPSA-2008-0308
Reference: CONFIRM:http://www.samba.org/samba/history/samba-3.0.32.html

** REJECT **

DO NOT USE THIS CANDIDATE NUMBER.  ConsultIDs: None.  Reason: this
candidate is not a security issue.  It was originally created based on
one vendor's misinterpretation of an upstream changelog comment that
referred to a race condition in the winbind daemon (aka winbindd) in
Samba before 3.0.32.  The upstream vendor states: "The Samba Team sees
no way to exploit this race condition by a user of the system or an
external attacker. In order to be able to trigger the race condition a
privileged user (root) need to intentionally kill a winbind child
process and carefully time the killing to trigger the race
condition. Although, if the user is already privileged, it can more
easily just kill the parent process directly."  CVE concurs with the
dispute.  Notes: CVE users should not use this identifier.



More information about the VIM mailing list