Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 274601 (CVE-2009-1886) - <net-fs/samba-3.2.13: smbclient format string vulnerability (CVE-2009-1886)
Summary: <net-fs/samba-3.2.13: smbclient format string vulnerability (CVE-2009-1886)
Alias: CVE-2009-1886
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~1 [noglsa]
Depends on:
Reported: 2009-06-18 11:40 UTC by Alex Legler (RETIRED)
Modified: 2009-06-27 08:31 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Backported patch from the 3.3.* series (samba-bug-6478.patch,5.10 KB, patch)
2009-06-18 11:46 UTC, Alex Legler (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-06-18 11:40:46 UTC
** Please note that this issue is SEMI-PUBLIC and no information should be disclosed until it is made public, see "Whiteboard" for a date **

Volker Lendecke informed us about the following vulnerability:

The smbclient utility in Samba 3.2.0 - 3.2.12 contains a
formatstring vulnerability where commands dealing with
file names treat user input as format strings to asprintf.

An example is:

smb: \> put aa%3Fbb
putting file aa%3Fbb as \aa0,000000bb (0,0 kb/s) (average 0,0 kb/s)

As is obvious, "aa%3Fbb" is interpreted as a format string.
With a maliciously crafted file name smbclient can be made
to execute code triggered by the server.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-06-18 11:46:10 UTC
Created attachment 195066 [details, diff]
Backported patch from the 3.3.* series

3.2.13, containing this patch, is to be released on the 23rd.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-25 13:50:27 UTC
CVE-2009-1886 (
  Multiple format string vulnerabilities in client/client.c in
  smbclient in Samba 3.2.0 through 3.2.12 might allow context-dependent
  attackers to execute arbitrary code via format string specifiers in a
Comment 3 Patrick Lauer gentoo-dev 2009-06-27 06:17:36 UTC
*samba-3.2.13 (25 Jun 2009)

  25 Jun 2009; Patrick Lauer <> +samba-3.2.13.ebuild:
  Bump to 3.2.13

It's in the tree.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-06-27 08:31:21 UTC
thanks, closing.