Summary: | <net-fs/cifs-utils-5.1: mount.cifs mtab locking Denial of Service (CVE-2011-3585) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tim Sammut (RETIRED) <underling> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | samba |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.samba.org/show_bug.cgi?id=7179 | ||
Whiteboard: | ~3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Tim Sammut (RETIRED)
2011-10-02 05:06:18 UTC
CVE-2011-3585 is still reserved [1] and our stable samba doesn't allow mount.cifs being installed setuid root. [1] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2011-3585 (In reply to comment #1) > CVE-2011-3585 is still reserved [1] Not sure what that has to say as to the nature of the issue. CVEs usually take a few days to be filled in. > and our stable samba doesn't allow > mount.cifs being installed setuid root. > Our "stable samba" implies that our testing samba behaves differently? Also, next time, please just state your reasons why a bug is invalid in your opinion without closing the bug, *we* will do that after confirming your explanation. Reopening until my questions are answered. (In reply to comment #2) > (In reply to comment #1) > > CVE-2011-3585 is still reserved [1] > > Not sure what that has to say as to the nature of the issue. CVEs usually take > a few days to be filled in. > > > and our stable samba doesn't allow > > mount.cifs being installed setuid root. > > > > Our "stable samba" implies that our testing samba behaves differently? Currently there is no testing samba but masked one. masked samba 3.6.0 and above use net-fs/cifs-utils as a provider for mount.cifs. I've dropped setuid flag from cifs-utils, however users are free to set it setuid (as they were when the ebuild provided setuid use flag). > > Also, next time, please just state your reasons why a bug is invalid in your > opinion without closing the bug, *we* will do that after confirming your > explanation. got it 04 Oct 2011; Víctor Ostorga <vostorga@gentoo.org> cifs-utils-5.1.ebuild: Dropping setuid flag, CVE-2011-3585 bug 385315 -> net-fs/cifs-utils is noglsa for ~arch only So our stable net-fs/samba versions are not vulnerable because they don't allow mount.cifs to be installed setuid root. Our unstable net-fs/samba relies on net-fs/cifs-utils which was vulnerable but now fixed. Re-rating to ~3 and closing. |