Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 274601 (CVE-2009-1886)

Summary: <net-fs/samba-3.2.13: smbclient format string vulnerability (CVE-2009-1886)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: samba
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.samba.org/samba/security/CVE-2009-1886.html
Whiteboard: ~1 [noglsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
Backported patch from the 3.3.* series none

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-18 11:40:46 UTC
** Please note that this issue is SEMI-PUBLIC and no information should be disclosed until it is made public, see "Whiteboard" for a date **

Volker Lendecke informed us about the following vulnerability:

The smbclient utility in Samba 3.2.0 - 3.2.12 contains a
formatstring vulnerability where commands dealing with
file names treat user input as format strings to asprintf.

An example is:

smb: \> put aa%3Fbb
putting file aa%3Fbb as \aa0,000000bb (0,0 kb/s) (average 0,0 kb/s)

As is obvious, "aa%3Fbb" is interpreted as a format string.
With a maliciously crafted file name smbclient can be made
to execute code triggered by the server.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-18 11:46:10 UTC
Created attachment 195066 [details, diff]
Backported patch from the 3.3.* series

3.2.13, containing this patch, is to be released on the 23rd.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-25 13:50:27 UTC
CVE-2009-1886 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1886):
  Multiple format string vulnerabilities in client/client.c in
  smbclient in Samba 3.2.0 through 3.2.12 might allow context-dependent
  attackers to execute arbitrary code via format string specifiers in a
  filename.
Comment 3 Patrick Lauer gentoo-dev 2009-06-27 06:17:36 UTC
*samba-3.2.13 (25 Jun 2009)

  25 Jun 2009; Patrick Lauer <patrick@gentoo.org> +samba-3.2.13.ebuild:
  Bump to 3.2.13

It's in the tree.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-06-27 08:31:21 UTC
thanks, closing.