** Please note that this issue is SEMI-PUBLIC and no information should be disclosed until it is made public, see "Whiteboard" for a date **
Volker Lendecke informed us about the following vulnerability:
The smbclient utility in Samba 3.2.0 - 3.2.12 contains a
formatstring vulnerability where commands dealing with
file names treat user input as format strings to asprintf.
An example is:
smb: \> put aa%3Fbb
putting file aa%3Fbb as \aa0,000000bb (0,0 kb/s) (average 0,0 kb/s)
As is obvious, "aa%3Fbb" is interpreted as a format string.
With a maliciously crafted file name smbclient can be made
to execute code triggered by the server.
Created attachment 195066 [details, diff]
Backported patch from the 3.3.* series
3.2.13, containing this patch, is to be released on the 23rd.
Multiple format string vulnerabilities in client/client.c in
smbclient in Samba 3.2.0 through 3.2.12 might allow context-dependent
attackers to execute arbitrary code via format string specifiers in a
*samba-3.2.13 (25 Jun 2009)
25 Jun 2009; Patrick Lauer <email@example.com> +samba-3.2.13.ebuild:
Bump to 3.2.13
It's in the tree.