** Please note that this issue is SEMI-PUBLIC and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Volker Lendecke informed us about the following vulnerability: The smbclient utility in Samba 3.2.0 - 3.2.12 contains a formatstring vulnerability where commands dealing with file names treat user input as format strings to asprintf. An example is: smb: \> put aa%3Fbb putting file aa%3Fbb as \aa0,000000bb (0,0 kb/s) (average 0,0 kb/s) As is obvious, "aa%3Fbb" is interpreted as a format string. With a maliciously crafted file name smbclient can be made to execute code triggered by the server.
Created attachment 195066 [details, diff] Backported patch from the 3.3.* series 3.2.13, containing this patch, is to be released on the 23rd.
CVE-2009-1886 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1886): Multiple format string vulnerabilities in client/client.c in smbclient in Samba 3.2.0 through 3.2.12 might allow context-dependent attackers to execute arbitrary code via format string specifiers in a filename.
*samba-3.2.13 (25 Jun 2009) 25 Jun 2009; Patrick Lauer <patrick@gentoo.org> +samba-3.2.13.ebuild: Bump to 3.2.13 It's in the tree.
thanks, closing.