-----BEGIN PGP SIGNED MESSAGE----- The Samba team has discovered two security vulnerabilities in the samba-1.9.18 RPMs as distributed by RedHat, Caldera and TurboLinux. As far as we know no other distributions of Samba are affected. summary: ======== The first problem is the installation permissions of the wsmbconf binary. The RPM installs wsmbconf as a setgid binary owned by group root and executable by all users. The wsmbconf program was a prototype application and was never meant to make its way into a Samba release. It was not designed to be setgid and is vulnerable to attack by local users when installed setgid. The second problem is that the spec file creates a world writeable spool area /var/spool/samba but does not set the t bit. The t bit should be set on Samba spool directories. impact: ======= 1) non-privileged users can use wsmbconf to gain read/write access to any file which is accessible to the root group. 2) non-privileged users can alter the content of documents being printed by other users. If an interpreter such as ghostscript is used to process print files then the insertion of exploit code into print files may allow an attacker to exploit vulnerabilities in the interpreter to gain access to files owned by users submitting print jobs. vulnerable systems: =================== The wsmbconf vulnerability is known to affect the binary versions of Samba-1.9.18 distributed with RedHat Linux, Caldera OpenLinux and PHT TurboLinux. The /var/spool/samba vulnerability is known to affect all binary versions of Samba distributed with RedHat from version 4.0 up to 5.2. It is believed to also affect a wide range of Caldera and TurboLinux versions but specifics are not available at this time. Systems on which Samba has been built from the distributed source code (the .tar.gz files) are not vulnerable. Both vulnerabilities are present only in the packaging files used for particular binary distributions. You can tell if your system is vulnerable by looking for a file called /usr/sbin/wsmbconf. If you have that file then you have a vulnerable installation. workaround: =========== 1) All systems on which /usr/sbin/wsmbconf is installed should immediately remove that file: rm -f /usr/sbin/wsmbconf removing that file will not in any way adversely affect your Samba installation as the file is not actually part of Samba 1.9.18. It was included in the distribution inadvertently. 2) All systems which have a /var/spool/samba directory should ensure that the t bit is set on that directory: chmod +t /var/spool/samba fix: ==== 1) The cause of the first problem is the following line in the spec file used to compile Samba 1.9.18p10 on RedHat and Caldera systems: %attr(2755,root,root) /usr/sbin/wsmbconf The 2755 permissions are incorrect. The correct action is to remove wsmbconf completely from the spec file. 2) The cause of the second problem is the following line in the spec file used to compile Samba 1.9.18p10 on RedHat and Caldera systems: %attr(777,root,root) %dir /var/spool/samba the line should be changed to read: %attr(1777,root,root) %dir /var/spool/samba updated packages: ================ RedHat and Caldera have released new RPMs on their ftp sites. We expect PHT to release new RPMs shortly. The URLs I have been given are: Caldera ftp.caldera.com:/pub/OpenLinux/updates/1.3/007 Redhat Red Hat Linux 4.2 alpha ftp://updates.redhat.com/4.2/alpha/samba-1.9.18p10-0.alpha.rp m i386 ftp://updates.redhat.com/4.2/i386/samba-1.9.18p10-0.i386.rpm sparc ftp://updates.redhat.com/4.2/sparc/samba-1.9.18p10-0.sparc.rp m Red Hat Linux 5.0, 5.1 and 5.2: alpha ftp://updates.redhat.com/5.2/alpha/samba-1.9.18p10-5.alpha.rp m i386 ftp://updates.redhat.com/5.2/i386/samba-1.9.18p10-5.i386.rpm sparc ftp://updates.redhat.com/5.2/sparc/samba-1.9.18p10-5.sparc.rp m additional: =========== wsmbconf was included inadvertently in the RedHat spec file as distributed in Samba 1.9.18 by a Samba Team member. RedHat, Caldera and PHT are not responsible for this vulnerability, even though only those systems are affected. The Samba Team apologises to RedHat, Caldera and PHT users for these mistakes. These vulnerabilities were discovered during routine inspection of the spec files. We are not aware of anyone actively exploiting these vulnerabilities, although exploits are certainly possible. -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBNlPFP2NSlURsK/StAQFKRAQAisDAtHMR2hUtiep0YyLTDCAkEC6DzL0b kz3dgjagx8lo0Qqry6tb3+b5abF+/PNqHlndI2qEOVVamz77IGC9WVhtZIPnCzes z0sZSnMZ5IxJJTa1BY3L0uAE2+Pgmz3ncsedrh1uDSzPIVph2FT89sqDvNOJpow4 6lQeXHQ7JN8= =tAPq -----END PGP SIGNATURE-----