Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 45965 - net-fs/samba 'smbprint' script tmpfile vulnerability
Summary: net-fs/samba 'smbprint' script tmpfile vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://seclists.org/lists/bugtraq/200...
Whiteboard:
Keywords:
Depends on:
Blocks: 41800
  Show dependency tree
 
Reported: 2004-03-28 03:00 UTC by Tobias Weisserth
Modified: 2004-04-30 00:45 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---
condordes: Assigned_To? (condordes)


Attachments
samba-3.0.2a-smbprint.patch (samba-3.0.2a-smbprint.patch,1.20 KB, patch)
2004-04-09 14:26 UTC, Joshua J. Berry (CondorDes) (RETIRED)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Weisserth 2004-03-28 03:00:49 UTC
See the original mail on bugtraq:

http://seclists.org/lists/bugtraq/2004/Mar/0189.html

and the answer from the Samba team (URL):

http://seclists.org/lists/bugtraq/2004/Mar/0195.html

This is maybe only a minor issue and doesn't affect a great percentage of Gentoo users but it should be fixed nevertheless.

regards,
Tobias

Reproducible: Always
Steps to Reproduce:
Comment 1 Kurt Lieber (RETIRED) gentoo-dev 2004-03-30 00:09:46 UTC
Donny -- comments?
Comment 2 Donny Davies (RETIRED) gentoo-dev 2004-03-30 06:05:07 UTC
Hi Kurt

This file is packaged in their examples/ directory, not a big deal.

It will be fixed in the next release.
Comment 3 Kurt Lieber (RETIRED) gentoo-dev 2004-03-30 06:21:52 UTC
Sounds great.  I'll leave the bug open just to track it until then and then close it.

Thanks for the update.
Comment 4 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-09 13:13:51 UTC
I'll look at this one, as long as I'm looking at bug 41800.
Comment 5 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-09 14:26:47 UTC
Created attachment 28985 [details, diff]
samba-3.0.2a-smbprint.patch

Patch to fix tmpfile symlink bug.

I noticed there are two versions of smbprint available -- smbprint and
smbprint-new.sh -- so I patched both of them.

Can someone (preferably more than one someone) please review this patch and let
me know if it's OK?

I'll attach an updated ebuild for this and for the setuid issue to bug 41800
when I'm finished testing.
Comment 6 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-13 13:21:09 UTC
Also CCing mglauche on the smbprint bug.
Comment 7 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-14 13:29:57 UTC
Subject needs both category and package name.
Comment 8 Michael Glauche (RETIRED) gentoo-dev 2004-04-16 00:20:07 UTC
Also, worth noting that this is a documentation bug, so upgrading to the "fixed" version would give the user of the machine documentation which is fixed, but the problem still prevails. smbprint used to be the "base" for copy&paste operation, make your own script. So the sysadmin needs to correct *his/her* own version by him/herself ...

But as the original poster said, the affected userbase is *very* low, i think it only affects people who use samba on the workstation and windows on server, and use lpr/lprng as their printing package (SMB printing is supported by CUPS, so no need for this script then ..)

 
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2004-04-29 07:12:54 UTC
Common GLSA with #41800.
CondorDes: I reviewed your draft, it's OK for me.
-K
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2004-04-30 00:45:00 UTC
GLSA 200404-21