[SCM] Samba Website Repository - branch master updated

Lars Müller lmuelle at samba.org
Sat Jul 30 06:45:06 MDT 2011 

The branch, master has been updated
       via  5de880c Add CVE-2010-0926.html page.
      from  7dad6aa Announce Samba 3.6.0rc3.

http://gitweb.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 5de880ca8186de73f7e8aff505ddc2e253fc334e
Author: Lars Müller <lars at samba.org>
Date:   Sat Jul 30 14:38:44 2011 +0200

    Add CVE-2010-0926.html page.

-----------------------------------------------------------------------

Summary of changes:
 security/CVE-2010-0926.html |  103 +++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 103 insertions(+), 0 deletions(-)
 create mode 100644 security/CVE-2010-0926.html


Changeset truncated at 500 lines:

diff --git a/security/CVE-2010-0926.html b/security/CVE-2010-0926.html
new file mode 100644
index 0000000..9d1ee2d
--- /dev/null
+++ b/security/CVE-2010-0926.html
@@ -0,0 +1,103 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+   <H2>CVE-2010-0926: </H2>
+
+<p>
+<pre>
+===========================================================
+== Subject:     Change parameter "wide links" to default to "no";
+==		it's also incompatible with "unix extensions"
+==
+== CVE ID#:     CVE-2010-0926
+==
+== Versions:    pre-3.4.6
+==
+== Summary:     By default Samba ships with the parameter "wide links = yes",
+==		which allows Administrators to locally (on the server) add a symbolic
+==		link inside an exported share which SMB/CIFS clients will follow.
+===========================================================
+
+===========
+Description
+===========
+
+The problem comes from a combination of two features in Samba, each of which on
+their own are useful to Administrators, but in combination allow users to
+access any file on the system that their logged in username has permissions to
+read (this is not a privilege escalation problem).
+
+By default Samba ships with the parameter "wide links = yes", which allows
+Administrators to locally (on the server) add a symbolic link inside an
+exported share which SMB/CIFS clients will follow.
+
+As an example, given a share definition:
+
+  [tmp]
+	path = /tmp
+	read only = no
+	guest ok = yes
+
+The administrator could add a symlink:
+
+  $ ln -s /etc/passwd /tmp/passwd
+
+and SMB/CIFS clients would then see a file called "passwd" within the [tmp] share that could be read and would allow clients to read /etc/passwd.
+
+If the "wide links" parameter is set to "no", any attempt to read this file will fail with an "access denied" error.
+
+The problem occurs as Samba allows clients using the UNIX extensions (which are also turned on by default) to create symlinks on remotely mounted shares on which they have write access that point to any path on the file system.
+
+This is by design, as applications running on UNIX clients may have good reasons to create symlinks anywhere on the filesystem they have write access that point to local files (such as /etc/passwd).
+
+UNIX clients will resolve these links locally, but Windows clients will resolve them on the server. It is this combination that causes the problem.
+
+All future versions of Samba will have the parameter "wide links" set to "no" by default, and the manual pages will be updated to explain this issue.
+
+http://www.samba.org/samba/news/symlink_attack.html
+
+
+==================
+Patch Availability
+==================
+
+A Patch addressing this issue has been posted to:
+
+    http://www.samba.org/samba/security/
+
+Additionally, Samba 3.3.12, 3.4.7 and 3.5.1 have been issued
+as security releases to correct the defect.  Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==========
+Workaround
+==========
+
+Set:
+
+  wide links = no
+
+in the [global] section of your smb.conf and restart smbd to eliminate this
+problem.
+
+=======
+Credits
+=======
+
+A user named "kcopedarookie" posted what they claim to be a video of a zero-day exploit in Samba on youtube 2010-02-04.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
+</body>
+</html>


-- 
Samba Website Repository

More information about the samba-cvs mailing list