COMMAND

    samba

SYSTEMS AFFECTED

    samba-1.9.18 (RedHat Linux, Caldera OpenLinux and PHT TurboLinux)

PROBLEM

    The Samba team has discovered two security vulnerabilities in  the
    samba-1.9.18 RPMs as distributed by RedHat, Caldera and TurboLinux
    No other distributions of Samba are affected.

    The first problem is the installation permissions of the  wsmbconf
    binary.   The RPM  installs wsmbconf  as a  setgid binary owned by
    group root and executable by all users.  The wsmbconf program  was
    a prototype application and was never meant to make its way into a
    Samba release.  It was not designed to be setgid and is vulnerable
    to  attack  by  local  users  when  installed  setgid.  The second
    problem is that the spec file creates a world writeable spool area
    /var/spool/samba but does not set the t bit.  The t bit should  be
    set on Samba spool directories.

    1) non-privileged users can use wsmbconf to gain read/write access
       to any file which is accessible to the root group.
    2) non-privileged users can  alter the content of  documents being
       printed by other users.  If an interpreter such  as ghostscript
       is used to  process print files  then the insertion  of exploit
       code  into  print  files  may  allow  an  attacker  to  exploit
       vulnerabilities  in  the  interpreter  to  gain access to files
       owned by users submitting print jobs.

    The /var/spool/samba vulnerability is  known to affect all  binary
    versions of Samba distributed with  RedHat from version 4.0 up  to
    5.2. It is  believed to also  affect a wide  range of Caldera  and
    TurboLinux versions but specifics are not available at this time.

SOLUTION

    Systems on which Samba has been built from the distributed  source
    code (the .tar.gz files) are not vulnerable.  Both vulnerabilities
    are present only in the packaging files used for particular binary
    distributions.   You  can  tell  if  your  system is vulnerable by
    looking for  a file  called /usr/sbin/wsmbconf.  If you  have that
    file then you have a vulnerable installation.

    All  systems  on  which  /usr/sbin/wsmbconf  is  installed  should
    immediately remove that file (rm -f /usr/sbin/wsmbconf).  Removing
    that  file  will  not  in  any  way  adversely  affect  your Samba
    installation as the file is not actually part of Samba 1.9.18.  It
    was  included  in  the  distribution  inadvertently.   All systems
    which have a /var/spool/samba  directory should ensure that  the t
    bit is set on that directory (chmod +t /var/spool/samba).

    RedHat and Caldera have released new RPMs on their ftp sites.   It
    is expect PHT to release new RPMs shortly.

    Caldera

        ftp.caldera.com:/pub/OpenLinux/updates/1.3/007

    Redhat

      Red Hat Linux 4.2
        alpha ftp://updates.redhat.com/4.2/alpha/samba-1.9.18p10-0.alpha.rpm
        i386  ftp://updates.redhat.com/4.2/i386/samba-1.9.18p10-0.i386.rpm
        sparc ftp://updates.redhat.com/4.2/sparc/samba-1.9.18p10-0.sparc.rpm

      Red Hat Linux 5.0, 5.1 and 5.2:
        alpha ftp://updates.redhat.com/5.2/alpha/samba-1.9.18p10-5.alpha.rpm
        i386  ftp://updates.redhat.com/5.2/i386/samba-1.9.18p10-5.i386.rpm
        sparc ftp://updates.redhat.com/5.2/sparc/samba-1.9.18p10-5.sparc.rpm