Bug#568493: [Pkg-samba-maint] Bug#568493: samba: zero-day remote access exploit
Quoting Michael Gilbert (michael.s.gilb...@gmail.com): no, if you watch the video closely (also see [0]), you can see that they have read access to pretty much any file on the system (i.e. /etc/passwd) and write access to any location writable by the account they connect under. That's a bug, it should be fixed, but its impact isn't release-critical. it's your call, but i disagree. In such case, I think we should let upstream do their job and investigate/discuss the issue...which is what happened when Jeremy posted in sa...@lists.samba.org yesterday. So, imho, the bug report was a little bit premature(en?) as I think we've already confirmed that we follow upstream development closely enough. As of now, I understand that the planned fix is to disable wide links by default. In such case, I don't see much more action to have in Debian. Particularly, I'm unsure about fixing lenny. signature.asc Description: Digital signature
Bug#568493: [Pkg-samba-maint] Bug#568493: samba: zero-day remote access exploit
On Sat, 6 Feb 2010 12:14:58 +0100 Christian PERRIER wrote: Quoting Michael Gilbert (michael.s.gilb...@gmail.com): no, if you watch the video closely (also see [0]), you can see that they have read access to pretty much any file on the system (i.e. /etc/passwd) and write access to any location writable by the account they connect under. That's a bug, it should be fixed, but its impact isn't release-critical. it's your call, but i disagree. In such case, I think we should let upstream do their job and investigate/discuss the issue...which is what happened when Jeremy posted in sa...@lists.samba.org yesterday. So, imho, the bug report was a little bit premature(en?) as I think we've already confirmed that we follow upstream development closely enough. if i see an active exploit on one of the lists i'm following, then i am going to report it (after all, does't Debian does not hide problems?); regardless of any concept of prematurity. you all are responsible for this package, and if there isn't enough info yet, then you should actively go to upstream to see what's going on, or take a look at the problem yourself. As of now, I understand that the planned fix is to disable wide links by default. In such case, I don't see much more action to have in Debian. Particularly, I'm unsure about fixing lenny. if you were following upstream closely, you will have seen that wide links is a band aid, and a real fix is in the works [0]. sorry if this seems rude, but i'm tired of getting snippy emails. best wishes, mike [0] http://lists.samba.org/archive/samba-technical/2010-February/069200.html -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#568493: [Pkg-samba-maint] Bug#568493: Bug#568493: samba: zero-day remote access exploit
Quoting Michael Gilbert (michael.s.gilb...@gmail.com): if i see an active exploit on one of the lists i'm following, then i am going to report it (after all, does't Debian does not hide problems?); Not hiding problems is not reproducing all bug reported upstream in our BTS. Apart from bringing yet more load on the maintainers' shoulders, on should ponder the real benefit of bug reports. This is not meant to say you're not right to report but waiting for the discussion with upstream to settle down before reporting is certainly as helpful as reporting early. regardless of any concept of prematurity. you all are responsible for this package, and if there isn't enough info yet, then you should actively go to upstream to see what's going on, or take a look at the problem yourself. As of now, I understand that the planned fix is to disable wide links by default. In such case, I don't see much more action to have in Debian. Particularly, I'm unsure about fixing lenny. if you were following upstream closely, you will have seen that wide links is a band aid, and a real fix is in the works [0]. I *did* see this. My sentence above was a short summary of the real discussion. Thanks for giving the full pointer to people who want to get more details. signature.asc Description: Digital signature
Bug#568493: [Pkg-samba-maint] Bug#568493: Bug#568493: samba: zero-day remote access exploit
On Sat, 6 Feb 2010 16:50:44 +0100 Christian PERRIER wrote: Quoting Michael Gilbert (michael.s.gilb...@gmail.com): if i see an active exploit on one of the lists i'm following, then i am going to report it (after all, does't Debian does not hide problems?); Not hiding problems is not reproducing all bug reported upstream in our BTS. Apart from bringing yet more load on the maintainers' shoulders, on should ponder the real benefit of bug reports. This is not meant to say you're not right to report but waiting for the discussion with upstream to settle down before reporting is certainly as helpful as reporting early. i must respectfully disagree. when it comes to security issues, time is of the essence. every minute that there is no fix is another minute that debian's users are vulnerable. hence, getting maintainers involved as soon as possible should (if the motivation is there) increase the rate at which the problem is solved. for normal issues, yes, timeliness is not so much of a concern. mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#568493: [Pkg-samba-maint] Bug#568493: Bug#568493: samba: zero-day remote access exploit
On Sat, Feb 6, 2010 at 10:39:54 -0500, Michael Gilbert wrote: sorry if this seems rude, but i'm tired of getting snippy emails. You'd get less snippy emails if you got off your high horse. Cheers, Julien signature.asc Description: Digital signature
Bug#568493: [Pkg-samba-maint] Bug#568493: Bug#568493: samba: zero-day remote access exploit
On Sat, 6 Feb 2010 17:14:34 +0100 Julien Cristau wrote: On Sat, Feb 6, 2010 at 10:39:54 -0500, Michael Gilbert wrote: sorry if this seems rude, but i'm tired of getting snippy emails. You'd get less snippy emails if you got off your high horse. thanks for another one! have you ever heard of psychological projection? best wishes, mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#568493: [Pkg-samba-maint] Bug#568493: Bug#568493: Bug#568493: samba: zero-day remote access exploit
Quoting Julien Cristau (jcris...@debian.org): You'd get less snippy emails if you got off your high horse. I'm not sure Michael deserves being bashed this way. We disagree in some way on the course of actions, but he has always been respectful for our work as maintainers. I suggest we all cool this down. signature.asc Description: Digital signature
Bug#568493: samba: zero-day remote access exploit
severity 568493 important thanks On Fri, Feb 05, 2010 at 01:07:14AM -0500, Michael Gilbert wrote: package: samba version: 2:3.4.5~dfsg-1 severity: critical hi, a zero-day remote access exploit has been demonstrated using a vulnerability in samba [0]. the only info to go on right now is a rather blurry video demonstrating the exploit in action as well as the code modified. i know this isn't a lot to go on, but hopefully its enough info to figure out the problem. mike [0] http://seclists.org/fulldisclosure/2010/Feb/82 Why are you presuming to file critical-severity bugs for an unconfirmed vulnerability if you can't even give a description of what that vulnerability is? There's nothing critical here; the video shows that, if you allow untrusted users anonymous access to a Samba share, they can read any files on the system that your guest user (i.e., user 'nobody') can read. That's a bug, it should be fixed, but its impact isn't release-critical. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: Digital signature
Bug#568493: samba: zero-day remote access exploit
On Thu, 4 Feb 2010 23:18:18 -0800, Steve Langasek wrote: severity 568493 important thanks On Fri, Feb 05, 2010 at 01:07:14AM -0500, Michael Gilbert wrote: package: samba version: 2:3.4.5~dfsg-1 severity: critical hi, a zero-day remote access exploit has been demonstrated using a vulnerability in samba [0]. the only info to go on right now is a rather blurry video demonstrating the exploit in action as well as the code modified. i know this isn't a lot to go on, but hopefully its enough info to figure out the problem. mike [0] http://seclists.org/fulldisclosure/2010/Feb/82 Why are you presuming to file critical-severity bugs for an unconfirmed vulnerability if you can't even give a description of what that vulnerability is? when issues are disclosed, they should be tracked so they can be fixed; regardless of how much information is presently available, or whether it has been confirmed, by which i think you actually mean reproduced. the only way to consider this unconfirmed is if the video were faked, which is a possibility. however, we should err on the side of caution and assume that it is real until proven otherwise. debian bug severity critical: [...] or introduces a security hole on systems where you install the package. you allow untrusted users anonymous access to a Samba share, they can read any files on the system that your guest user (i.e., user 'nobody') can read. no, if you watch the video closely (also see [0]), you can see that they have read access to pretty much any file on the system (i.e. /etc/passwd) and write access to any location writable by the account they connect under. That's a bug, it should be fixed, but its impact isn't release-critical. it's your call, but i disagree. mike [0] http://seclists.org/fulldisclosure/2010/Feb/99 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#568493: samba: zero-day remote access exploit
package: samba version: 2:3.4.5~dfsg-1 severity: critical hi, a zero-day remote access exploit has been demonstrated using a vulnerability in samba [0]. the only info to go on right now is a rather blurry video demonstrating the exploit in action as well as the code modified. i know this isn't a lot to go on, but hopefully its enough info to figure out the problem. mike [0] http://seclists.org/fulldisclosure/2010/Feb/82 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#568493: samba: zero-day remote access exploit
note that it looks to be exposed only for public shares that are writable, which should be an uncommon configuration for security-conscious users. mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org