The only Samba packages I'm aware of are Koon Wong's.
http://lrp.c0wz.com/files/kwarchive/
From the /etc/smb.conf file in smb.lrp:
# Samba config file created using SWAT
# from wpkgate.kc.com.my (202.184.173.241)
# Date: 1999/01/30 22:26:31
# Global parameters
workgroup = LINUX-GRP
netbios name = myserver
encrypt passwords = Yes
update encrypted = Yes
log file = /var/log/samba/log.%m
guest account = pcguest
hosts allow = 202.184.173.
<<<<snip>>>>
This does use the exploitable %m variable.
At 05:36 PM 06/24/2001 -0700, Kenneth Hadley wrote:
>I believe there is a Samba LRP package floating about so this is probably a
>VERY relevant Security bug from the Samba mailing list
>
>
>----- Original Message -----
>From: "Andrew Tridgell" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Friday, June 22, 2001 5:26 PM
>Subject: URGENT: Samba security hole
>
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>> IMPORTANT: Security bugfix for Samba
>> ------------------------------------
>>
>> June 23rd 2001
>>
>>
>> Summary
>> - -------
>>
>> A serious security hole has been discovered in all versions of Samba
>> that allows an attacker to gain root access on the target machine for
>> certain types of common Samba configuration.
>>
>> The immediate fix is to edit your smb.conf configuration file and
>> remove all occurances of the macro "%m". Replacing occurances of %m
>> with %I is probably the best solution for most sites.
>>
>> Details
>> - -------
>>
>> A remote attacker can use a netbios name containing unix path
>> characters which will then be substituted into the %m macro wherever
>> it occurs in smb.conf. This can be used to cause Samba to create a log
>> file on top of an important system file, which in turn can be used to
>> compromise security on the server.
>>
>> The most commonly used configuration option that can be vulnerable to
>> this attack is the "log file" option. The default value for this
>> option is VARDIR/log.smbd. If the default is used then Samba is not
>> vulnerable to this attack.
>>
>> The security hole occurs when a log file option like the following is
>> used:
>>
>> log file = /var/log/samba/%m.log
>>
>> In that case the attacker can use a locally created symbolic link to
>> overwrite any file on the system. This requires local access to the
>> server.
>>
>> If your Samba configuration has something like the following:
>>
>> log file = /var/log/samba/%m
>>
>> Then the attacker could successfully compromise your server remotely
>> as no symbolic link is required. This type of configuration is very
>> rare.
>>
>> The most commonly used log file configuration containing %m is the one
>> distributed in the sample configuration file that comes with Samba:
>>
>> log file = /var/log/samba/log.%m
>>
>> in that case your machine is not vulnerable to this attack unless you
>> happen to have a subdirectory in /var/log/samba/ which starts with the
>> prefix "log."
>>
>> New Release
>> - -----------
>>
>> While we recommend that vulnerable sites immediately change their
>> smb.conf configuration file to prevent the attack we will also be
>> making new releases of Samba within the next 24 hours to properly fix
>> the problem. Please see http://www.samba.org/ for the new releases.
>>
>> Please report any attacks to the appropriate authority.
>>
>> The Samba Team
>> [EMAIL PROTECTED]
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.0.6 (GNU/Linux)
>> Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard
><http://www.gnupg.org/>
>>
>> iD8DBQE7M+Gobf9zMVhTZ5ERAoVvAJ9CX93rSHbEyPD95mS3C5XaQXx5RgCfeOIx
>> bKPS2xD1L8C0mlr6y5i8uBo=
>> =M/K7
>> -----END PGP SIGNATURE-----
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: http://lists.samba.org/mailman/listinfo/samba
>
>
>_______________________________________________
>Leaf-user mailing list
>[EMAIL PROTECTED]
>http://lists.sourceforge.net/lists/listinfo/leaf-user
>
>
>
>---
>Incoming mail is certified Virus Free.
>Checked by AVG anti-virus system (http://www.grisoft.com).
>Version: 6.0.262 / Virus Database: 132 - Release Date: 06/12/2001