A flaw in the mount.cifs program, when installed suid, prevents it from checking user's privileges when provided a password or credential path, prior to obtaining root privileges. This allows a user to use a password or credential file to which they would not have access. As well, when the --verbose option is provided, the user can view the first line of that file.
Created attachment 362916 [details] upstream patches to correct CVE-2009-2948 for samba 3.0.36, 3.2.14, 3.4.1
This issue does not affect Red Hat Enterprise Linux 4 and 5 by default as mount.cifs is not provided with the setuid bit enabled. If a user has turned on the setuid bit (via 'chmod +s /sbin/mount.cifs'), they would be affected by this issue and can workaround the problem by removing the setuid bit. Red Hat Enterprise Linux 3 does not provide the mount.cifs program. The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/
Upstream advisory: http://www.samba.org/samba/security/CVE-2009-2948.html Fixed upstream in versions: 3.0.37, 3.2.15, 3.3.8 and 3.4.2
Created attachment 363489 [details] patch -- backports of upstream patches This is a backport of the 2 upstream patches for this CVE, plus an older patch that I pulled in to make the others apply more cleanly. I've given it some basic smoke testing and it seems to work ok.
samba-3.2.15-0.36.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
samba-3.4.2-0.42.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:1529 https://rhn.redhat.com/errata/RHSA-2009-1529.html
This issue has been addressed in following products: Extras for Red Hat Enterprise Linux 5 Via RHSA-2009:1585 https://rhn.redhat.com/errata/RHSA-2009-1585.html