Bug 526074 (CVE-2009-2948)
Summary: | CVE-2009-2948 samba: information disclosure in suid mount.cifs | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | low | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | unspecified | CC: | azelinka, gdeschner, jlayton, kreilly, mjc, ssorce | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2009-11-19 15:00:57 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 526658, 526659, 526660, 526661, 526663 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
Vincent Danen
2009-09-28 16:58:06 UTC
Created attachment 362916 [details] upstream patches to correct CVE-2009-2948 for samba 3.0.36, 3.2.14, 3.4.1 This issue does not affect Red Hat Enterprise Linux 4 and 5 by default as mount.cifs is not provided with the setuid bit enabled. If a user has turned on the setuid bit (via 'chmod +s /sbin/mount.cifs'), they would be affected by this issue and can workaround the problem by removing the setuid bit. Red Hat Enterprise Linux 3 does not provide the mount.cifs program. The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Upstream advisory: http://www.samba.org/samba/security/CVE-2009-2948.html Fixed upstream in versions: 3.0.37, 3.2.15, 3.3.8 and 3.4.2 Created attachment 363489 [details]
patch -- backports of upstream patches
This is a backport of the 2 upstream patches for this CVE, plus an older patch that I pulled in to make the others apply more cleanly.
I've given it some basic smoke testing and it seems to work ok.
samba-3.2.15-0.36.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. samba-3.4.2-0.42.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:1529 https://rhn.redhat.com/errata/RHSA-2009-1529.html This issue has been addressed in following products: Extras for Red Hat Enterprise Linux 5 Via RHSA-2009:1585 https://rhn.redhat.com/errata/RHSA-2009-1585.html |