A flaw was found in in Samba that could allow an authenticated attacker to modify permissions on a file they should not have access to. Exploiting this flaw is not trivial and a very strict set of conditions must first be met. The conditions that need to be met to exploit this are as such: 1. You must have write access to the share 2. the 'dos filemodes' option needs to be set (not by default) 3. the random in the sbuf variable must look like a valid stat (we check it in the code called by can_write_to_file()) The upstream patch is here: http://git.samba.org/?p=samba.git;a=commitdiff;h=d6c28913f3109d1327a3d1369b6eafd3874b2dca
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1888 to the following vulnerability: Name: CVE-2009-1888 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1888 Assigned: 20090602 Reference: CONFIRM: http://www.samba.org/samba/ftp/patches/security/samba-3.0.34-CVE-2009-1888.patch Reference: CONFIRM: http://www.samba.org/samba/ftp/patches/security/samba-3.2.12-CVE-2009-1888.patch Reference: CONFIRM: http://www.samba.org/samba/ftp/patches/security/samba-3.3.5-CVE-2009-1888.patch Reference: CONFIRM: http://www.samba.org/samba/security/CVE-2009-1888.html Reference: BID:35472 Reference: URL: http://www.securityfocus.com/bid/35472 Reference: SECUNIA:35539 Reference: URL: http://secunia.com/advisories/35539 Reference: VUPEN:ADV-2009-1664 Reference: URL: http://www.vupen.com/english/advisories/2009/1664 The acl_group_override function in smbd/posix_acls.c in smbd in Samba 3.0.x before 3.0.35, 3.1.x and 3.2.x before 3.2.13, and 3.3.x before 3.3.6, when dos filemode is enabled, allows remote attackers to modify access control lists for files via vectors related to read access to uninitialized memory.
The Red Hat Security Response Team has rated this issue as having low security impact, a future samba package update may address this flaw in Red Hat Enterprise Linux 4 and 5. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:1529 https://rhn.redhat.com/errata/RHSA-2009-1529.html
This issue has been addressed in following products: Extras for Red Hat Enterprise Linux 5 Via RHSA-2009:1585 https://rhn.redhat.com/errata/RHSA-2009-1585.html