Rapid7 Vulnerability & Exploit Database

RHSA-2001:044: New samba packages available to fix /tmp races

Back to Search

RHSA-2001:044: New samba packages available to fix /tmp races

Severity
2
CVSS
(AV:L/AC:L/Au:N/C:N/I:P/A:N)
Published
07/02/2001
Created
07/25/2018
Added
10/28/2005
Modified
07/04/2017

Description

New samba packages are available; these packages fix /tmp races in smbclient and the printing code. By exploiting these vulnerabilities, local users could overwrite any file in the system. It is recommended that all samba users upgrade to the fixed packages. Please note that the packages for Red Hat Linux 6.2 require an updated logrotate package. Note: these packages include the security patch from Samba-2.0.9.

The printing code in smbd uses predictable filenames in /tmp, and passes them as an output file to system(); a user could create a symbolic link in /tmp and then overwrite any file on the system; later on chmod(0666) is called on the file, leading to even more problems. The smbclient 'more' and 'mput' commands also used /tmp files insecurely; this is less of a risk in that these are not normally run as root. Thanks go to Marcus Meissner (mm@caldera.de) for investigating the issue and to the Samba team for providing a patch.

Solution(s)

  • redhat-upgrade-logrotate
  • redhat-upgrade-samba
  • redhat-upgrade-samba-client
  • redhat-upgrade-samba-common
  • redhat-upgrade-samba-swat

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;