New samba packages are available; these packages fix /tmp races in smbclient and the printing code. By exploiting these vulnerabilities, local users could overwrite any file in the system. It is recommended that all samba users upgrade to the fixed packages. Please note that the packages for Red Hat Linux 6.2 require an updated logrotate package. Note: these packages include the security patch from Samba-2.0.9.
The printing code in smbd uses predictable filenames in /tmp, and passes them as an output file to system(); a user could create a symbolic link in /tmp and then overwrite any file on the system; later on chmod(0666) is called on the file, leading to even more problems. The smbclient 'more' and 'mput' commands also used /tmp files insecurely; this is less of a risk in that these are not normally run as root. Thanks go to Marcus Meissner (firstname.lastname@example.org) for investigating the issue and to the Samba team for providing a patch.