SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Samba Vendors:   Samba.org
Samba SMB Networking Software Allows Local Users to Destroy Data on Local Devices
SecurityTracker Alert ID:  1001339
SecurityTracker URL:  http://securitytracker.com/id/1001339
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 18 2001
Impact:   Denial of service via local system, Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 2.0.8
Description:   A routine security audit by Caldera has turned up a vulnerability in Samba, the popular SMB networking software for Windows-compatible internetworking. The vulnerability reportedly allows local users to destroy data on local devices.

Previous versions of Samba (prior to 2.0.8) contained a race condition bug in the handling of temporary files that allows local users to destroy data on local devices. The vendor reports that exploitation of this vulnerability is fairly easy and that sites with untrusted local users should take the threat seriously.

Impact:   Local users can destroy data on local devices.
Solution:   The vendor has release version 2.0.8 to fix the vulnerability.
Vendor URL:  www.samba.org/ (Links to External Site)
Cause:   State error
Underlying OS:   Linux (Any), MPE/iX (HP), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Immunix Releases Fix) Re: Samba SMB Networking Software Allows Local Users to Destroy Data on Local Devices   (Chris Wright <chris@wirex.com>)
Immunix releases a fix.
(Debian Releases Fix) Re: Samba SMB Networking Software Allows Local Users to Destroy Data on Local Devices   (debian-security-announce@LISTS.DEBIAN.ORG)
Debian releases a fix and provides a few more details about the vulnerability.
(Trustix Releases Fix) Re: Samba SMB Networking Software Allows Local Users to Destroy Data on Local Devices   (tsl@TRUSTIX.COM)
Trustix has released a fix.
(Caldera Releases Fix) Re: Samba SMB Networking Software Allows Local Users to Destroy Data on Local Devices   (Caldera Support Information <sup-info@opus.calderasystems.com>)
Caldera has released a fix.
(Debain Releases Updated Fix) Re: Samba SMB Networking Software Allows Local Users to Destroy Data on Local Devices   (Wichert Akkerman <wichert@cistron.nl>)
Debian has released an updated fix. The earlier fix was not correct.
(Progeny Releases Fix) Re: Samba SMB Networking Software Allows Local Users to Destroy Data on Local Devices   (Progeny Security Team <security@PROGENY.COM>)
Progeny has released a fix.
(Connectiva Releases Fix) Re: Samba SMB Networking Software Allows Local Users to Destroy Data on Local Devices   (secure@CONECTIVA.COM.BR)
Connectiva has released a fix.
(Mandrake Releases Fix) Re: Samba SMB Networking Software Allows Local Users to Destroy Data on Local Devices   (Linux Mandrake Security Team <security@LINUX-MANDRAKE.COM>)
Mandrake has released a fix.
(FreeBSD Releases Fix) Re: Samba SMB Networking Software Allows Local Users to Destroy Data on Local Devices   (FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>)
FreeBSD released a fix.
(Revised Fix Is Available - v2.0.9) Re: Samba SMB Networking Software Allows Local Users to Destroy Data on Local Devices   (Wichert Akkerman <wichert@cistron.nl>)
A new fix has been released (2.0.9). The previous fix contained a flaw.
(Red Hat Releases Revised Fix) Re: Samba SMB Networking Software Allows Local Users to Destroy Data on Local Devices   (bugzilla@redhat.com)
Red Hat has released an updated fix.
(Caldera Releases Updated Fix) Re: Samba SMB Networking Software Allows Local Users to Destroy Data on Local Devices   (Caldera Support Information <sup-info@mazama.calderasystems.com>)
Caldera has released an updated fix.
(Trustix Releases Updated Fix) Re: Samba SMB Networking Software Allows Local Users to Destroy Data on Local Devices   (tsl@trustix.com)
Trustix has issued an updated fix (v2.0.9).
(FreeBSD Issues Update Fix) Re: Samba SMB Networking Software Allows Local Users to Destroy Data on Local Devices   (FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>)
The vendor has released an update fix (version 2.0.9).



 Source Message Contents

Date:  Tue, 17 Apr 2001 23:08:23 -0400
Subject:  Samba vulnerability


              WHATS NEW IN Samba 2.0.8
              ========================

Samba 2.0.8 is a security bugfix release. Previous versions of Samba
had a bug with the handling of temporary files that allows local users
to destroy data on local devices. This bug was discovered during a
routine security audit by Caldera. While no exploitation of this bug
is known to have occurred it is fairly easy to exploit so sites with
untrusted local users should take the threat seriously.

The only changes in 2.0.8 are the security updates. This is to
maximise stability for those sites that cannot afford to risk any
other sort of update. For most sites the Samba Team recommends that
the new 2.2.x version of Samba be used instead, as that provides not
only the security fixes but much greater functionality and many more
bug fixes.


Samba Team
April 2001


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC