-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                     ESB-2001.210 -- RHSA-2001:044-08
              New samba packages available to fix /tmp races
                                22 May 2001

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                samba
Vendor:                 Red Hat
Operating System:       Red Hat Linux 5.2
                        Red Hat Linux 6.2
                        Red Hat Linux 7.0
                        Red Hat Linux 7.1
                        Linux
Platform:               Alpha
                        i386
                        Sparc
Impact:                 Overwrite Arbitrary Files
Access Required:        Existing Account

- --------------------------BEGIN INCLUDED TEXT--------------------

- ---------------------------------------------------------------------
                   Red Hat, Inc. Red Hat Security Advisory

Synopsis:          New samba packages available to fix /tmp races
Advisory ID:       RHSA-2001:044-08
Issue date:        2001-04-05
Updated on:        2001-05-14
Product:           Red Hat Linux
Keywords:          samba /tmp overwrite
Cross references:  
Obsoletes:         
- ---------------------------------------------------------------------

1. Topic:

New samba packages are available; these packages fix /tmp races
in smbclient and the printing code. By exploiting these vulnerabilities,
local users could overwrite any file in the system.

It is recommended that all samba users upgrade to the fixed packages.
Please note that the packages for Red Hat Linux 6.2 require an updated
logrotate package.

Note: these packages include the security patch from Samba-2.0.9.

2. Relevant releases/architectures:

Red Hat Linux 5.2 - alpha, i386, sparc

Red Hat Linux 6.2 - alpha, i386, sparc

Red Hat Linux 7.0 - alpha, i386

Red Hat Linux 7.1 - i386

3. Problem description:

The printing code in smbd uses predictable filenames in /tmp, and passes
them as an output file to system();  a user could create a symbolic
link in /tmp and then overwrite any file on the system; later on chmod(0666)
is called on the file, leading to even more problems.

The smbclient 'more' and 'mput' commands also used /tmp files insecurely;
this is less of a risk in that these are not normally run as root.

Thanks go to Marcus Meissner (mm@caldera.de) for investigating the issue
and to the Samba team for providing a patch.

4. Solution:

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directly *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Again, note that the packages for Red Hat Linux 6.2 requre an updated
logrotate package.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

33509 - Samba uses mktemp
33915 - Samba + Quota allows user to pass hard limit; but with gibberish data not correct files
31632 - Quota do not work on SAMBA Server.
36424 - security hole allows a user with a shell account to corrupt local devices
28919 - samba logrotate bug fills the partition limit

6. RPMs required:

Red Hat Linux 5.2:

SRPMS:
ftp://updates.redhat.com/5.2/en/os/SRPMS/samba-2.0.5a-2.5.2.src.rpm

alpha:
ftp://updates.redhat.com/5.2/en/os/alpha/samba-2.0.5a-2.5.2.alpha.rpm
ftp://updates.redhat.com/5.2/en/os/alpha/samba-client-2.0.5a-2.5.2.alpha.rpm

i386:
ftp://updates.redhat.com/5.2/en/os/i386/samba-2.0.5a-2.5.2.i386.rpm
ftp://updates.redhat.com/5.2/en/os/i386/samba-client-2.0.5a-2.5.2.i386.rpm

sparc:
ftp://updates.redhat.com/5.2/en/os/sparc/samba-2.0.5a-2.5.2.sparc.rpm
ftp://updates.redhat.com/5.2/en/os/sparc/samba-client-2.0.5a-2.5.2.sparc.rpm

Red Hat Linux 6.2:

SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/samba-2.0.8-1.6.src.rpm
ftp://updates.redhat.com/6.2/en/os/SRPMS/logrotate-3.5.2-0.6.src.rpm

alpha:
ftp://updates.redhat.com/6.2/en/os/alpha/samba-2.0.8-1.6.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/samba-client-2.0.8-1.6.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/samba-common-2.0.8-1.6.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/logrotate-3.5.2-0.6.alpha.rpm

i386:
ftp://updates.redhat.com/6.2/en/os/i386/samba-2.0.8-1.6.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/samba-client-2.0.8-1.6.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/samba-common-2.0.8-1.6.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/logrotate-3.5.2-0.6.i386.rpm

sparc:
ftp://updates.redhat.com/6.2/en/os/sparc/samba-2.0.8-1.6.sparc.rpm
ftp://updates.redhat.com/6.2/en/os/sparc/samba-client-2.0.8-1.6.sparc.rpm
ftp://updates.redhat.com/6.2/en/os/sparc/samba-common-2.0.8-1.6.sparc.rpm
ftp://updates.redhat.com/6.2/en/os/sparc/logrotate-3.5.2-0.6.sparc.rpm

Red Hat Linux 7.0:

SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/samba-2.0.8-1.7.src.rpm

alpha:
ftp://updates.redhat.com/7.0/en/os/alpha/samba-2.0.8-1.7.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/samba-client-2.0.8-1.7.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/samba-common-2.0.8-1.7.alpha.rpm

i386:
ftp://updates.redhat.com/7.0/en/os/i386/samba-2.0.8-1.7.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/samba-client-2.0.8-1.7.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/samba-common-2.0.8-1.7.i386.rpm

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/samba-2.0.8-1.7.1.src.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/samba-2.0.8-1.7.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/samba-client-2.0.8-1.7.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/samba-common-2.0.8-1.7.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/samba-swat-2.0.8-1.7.1.i386.rpm



7. Verification:

MD5 sum                           Package Name
- --------------------------------------------------------------------------
c13389ba4bf3318b49e19b6469b2e0fe 5.2/en/os/SRPMS/samba-2.0.5a-2.5.2.src.rpm
3f0a195dbf5a363459926806185e80ba 5.2/en/os/alpha/samba-2.0.5a-2.5.2.alpha.rpm
58aa6febd254fc1e0784fbf6cfcfff02 5.2/en/os/alpha/samba-client-2.0.5a-2.5.2.alpha.rpm
9a12a093f101c98a1532e37299c484ce 5.2/en/os/i386/samba-2.0.5a-2.5.2.i386.rpm
5fda5f6989dea440ccdaf08446412ba9 5.2/en/os/i386/samba-client-2.0.5a-2.5.2.i386.rpm
854c4cb488ab388141b99d477faf3e86 5.2/en/os/sparc/samba-2.0.5a-2.5.2.sparc.rpm
9352f1fda00801b00e63a899770ff8de 5.2/en/os/sparc/samba-client-2.0.5a-2.5.2.sparc.rpm
335f2123c5ce3606db471183dfcdebad 6.2/en/os/SRPMS/logrotate-3.5.2-0.6.src.rpm
e4e697ad704a84c2ea4606be6ed19f5f 6.2/en/os/SRPMS/samba-2.0.8-1.6.src.rpm
f0f9129497c91d12da04cd6219267aa3 6.2/en/os/alpha/logrotate-3.5.2-0.6.alpha.rpm
9622500299782f17bda3657f85a9ad05 6.2/en/os/alpha/samba-2.0.8-1.6.alpha.rpm
c612a2092a1b03295b7d9d9c25af583d 6.2/en/os/alpha/samba-client-2.0.8-1.6.alpha.rpm
7fdd3bdafd9833e33167b33d19d3058f 6.2/en/os/alpha/samba-common-2.0.8-1.6.alpha.rpm
33f4ce1b7967405f33f4ad1cb73fae35 6.2/en/os/i386/logrotate-3.5.2-0.6.i386.rpm
edcecaa0c060f2371225d14ba5f6d908 6.2/en/os/i386/samba-2.0.8-1.6.i386.rpm
21acd09eb2072ec859a622f91d2aaca2 6.2/en/os/i386/samba-client-2.0.8-1.6.i386.rpm
917694eaf3f0d1f640e7ac9ec9acb329 6.2/en/os/i386/samba-common-2.0.8-1.6.i386.rpm
3f14ee70fdb73ba09ef49e4c4f3c6a7f 6.2/en/os/sparc/logrotate-3.5.2-0.6.sparc.rpm
7dd43e058143351a4605df173ede02a3 6.2/en/os/sparc/samba-2.0.8-1.6.sparc.rpm
478fbb5206d9a32208a63202bb5237c5 6.2/en/os/sparc/samba-client-2.0.8-1.6.sparc.rpm
9024c3b3e1a8ce90e9545979b5fd97f2 6.2/en/os/sparc/samba-common-2.0.8-1.6.sparc.rpm
79e6f09ba81d43ee261a278ffd28e60a 7.0/en/os/SRPMS/samba-2.0.8-1.7.src.rpm
cbfae3f2420cfae17b005211a8fdf692 7.0/en/os/alpha/samba-2.0.8-1.7.alpha.rpm
f09d86bd2a942bfea3a89b00960584e3 7.0/en/os/alpha/samba-client-2.0.8-1.7.alpha.rpm
a201143cad04e8cf7c199b247bcab800 7.0/en/os/alpha/samba-common-2.0.8-1.7.alpha.rpm
a8ab5a701ae81d123b45e564e6a780d4 7.0/en/os/i386/samba-2.0.8-1.7.i386.rpm
e7cd3ef7cad58e3be9ae72aa7e7a2b33 7.0/en/os/i386/samba-client-2.0.8-1.7.i386.rpm
2ea653688e214f9b0ca6619967f77076 7.0/en/os/i386/samba-common-2.0.8-1.7.i386.rpm
54613f26efbbfe5c2664bee923e63ce4 7.1/en/os/SRPMS/samba-2.0.8-1.7.1.src.rpm
282c70feb595b651804678407b7d7b08 7.1/en/os/i386/samba-2.0.8-1.7.1.i386.rpm
6e529dfb18f06b18360c755018864f8f 7.1/en/os/i386/samba-client-2.0.8-1.7.1.i386.rpm
e5f9759330d4ac09ea02ddead9c461e1 7.1/en/os/i386/samba-common-2.0.8-1.7.1.i386.rpm
6033af45917b0cbe447187ea56aeaefa 7.1/en/os/i386/samba-swat-2.0.8-1.7.1.i386.rpm

These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
    http://www.redhat.com/corp/contact.html

You can verify each package with the following command:
    rpm --checksig  <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg <filename>

8. References:




Copyright(c) 2000, 2001 Red Hat, Inc.



- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOwpsaih9+71yA2DNAQFKcQQAjxuGVMwXQCWDrtOGOP86mg288rTVAMiS
ix2ZLz3KmhulcqYGSWU+0CR3fMlbkdIoiJ0Kpqh+UIM5KVxJHxsJB4y44iDQLi3M
C9wNyNuUIacys8xRitfsXQ04O4LMeNO9GuZ7/0YIsNDU2SKhEausJJQOEXZWIwnk
cYn8/31Ag9k=
=ju8f
-----END PGP SIGNATURE-----