On Sun, Jan 31, 2010 at 01:09:22PM +0100, Christian PERRIER wrote: > Quoting Moritz Muehlenhoff ([email protected]): > > Package: smbfs > > Severity: grave > > Tags: security > > > > This is CVE-2009-3297: > > https://bugzilla.samba.org/show_bug.cgi?id=6853 > > > > /usr/share/doc/smbfs/TODO.Debian states: > > There is concern about the setuid status of binaries in this package. > > The audit status of the concerned binaries is unclear. We should > > figure out whether it is reasonable to provide the flexible user mount > > capabilities or whether a more restricted setup is better, at least by > > default.
> > Given that Jeremy Allison writes in the bug above you should probably > > drop the setuid for Squeeze: > My concern here is that it would definitely be a regression for users > who rely on user mounting of CIFS volumes. > A compromise could be a debconf question about adding the setuid bit > to mount.cifs (with a default to False, of course). > Steve, your advice? Upstream has been increasingly unsupportive of this configuration over time, and given Jeremy's latest comments on this bug, I think the only reasonable action here is to drop support for this is the package entirely and document it in NEWS.Debian on upgrade. (Users who must have this continue to work can use dpkg-statoverride to set the suid bit; but I wouldn't even suggest that in NEWS.Debian, because users shouldn't be encouraged to set programs suid when they're not meant to be used that way.) -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [email protected] [email protected]
signature.asc
Description: Digital signature
