Aviso de seguridad de Debian

DSA-463-1 samba -- escalada de privilegios

Fecha del informe:

12 de mar de 2004

Paquetes afectados:

samba

Vulnerable:

Sí

Referencias a bases de datos de seguridad:

En la base de datos de Bugtraq (en SecurityFocus): Id. en BugTraq 9619.
En el diccionario CVE de Mitre: CVE-2004-0186.

Información adicional:

Se descubrió que Samba, un servidor de archivos e impresión para Unix tipo LanManager, tenía una vulnerabilidad por medio de la cual un usuario podía usar la utilidad «smbmnt», que tiene setuid root, para montar un archivo compartido desde un servidor remoto que tuviera los programas con setuid bajo el control del usuario. Entonces, tales programas se podrían ejecutar para obtener privilegios en el sistema local.

Para la distribución estable actual (woody), este problema se ha corregido en la versión 2.2.3a-13.

Para la distribución inestable (sid), este problema se ha corregido en la versión 3.0.2-2.

Le recomendamos que actualice el paquete samba.

Arreglado en:

Debian GNU/Linux 3.0 (woody)

Fuentes:: http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-13.dsc; http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-13.diff.gz; http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a.orig.tar.gz
Componentes independientes de la arquitectura:: http://security.debian.org/pool/updates/main/s/samba/samba-doc_2.2.3a-13_all.deb
Alpha:: http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-13_alpha.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-13_alpha.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-13_alpha.deb; http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-13_alpha.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-13_alpha.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-13_alpha.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-13_alpha.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-13_alpha.deb; http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-13_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-13_arm.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-13_arm.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-13_arm.deb; http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-13_arm.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-13_arm.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-13_arm.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-13_arm.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-13_arm.deb; http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-13_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-13_i386.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-13_i386.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-13_i386.deb; http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-13_i386.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-13_i386.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-13_i386.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-13_i386.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-13_i386.deb; http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-13_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-13_ia64.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-13_ia64.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-13_ia64.deb; http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-13_ia64.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-13_ia64.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-13_ia64.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-13_ia64.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-13_ia64.deb; http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-13_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-13_hppa.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-13_hppa.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-13_hppa.deb; http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-13_hppa.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-13_hppa.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-13_hppa.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-13_hppa.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-13_hppa.deb; http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-13_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-13_m68k.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-13_m68k.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-13_m68k.deb; http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-13_m68k.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-13_m68k.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-13_m68k.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-13_m68k.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-13_m68k.deb; http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-13_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-13_mips.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-13_mips.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-13_mips.deb; http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-13_mips.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-13_mips.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-13_mips.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-13_mips.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-13_mips.deb; http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-13_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.3_mipsel.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.3_mipsel.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.3_mipsel.deb; http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.3_mipsel.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.3_mipsel.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.3_mipsel.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.3_mipsel.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.3_mipsel.deb; http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.3_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-13_powerpc.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-13_powerpc.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-13_powerpc.deb; http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-13_powerpc.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-13_powerpc.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-13_powerpc.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-13_powerpc.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-13_powerpc.deb; http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-13_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-13_s390.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-13_s390.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-13_s390.deb; http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-13_s390.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-13_s390.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-13_s390.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-13_s390.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-13_s390.deb; http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-13_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-13_sparc.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-13_sparc.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-13_sparc.deb; http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-13_sparc.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-13_sparc.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-13_sparc.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-13_sparc.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-13_sparc.deb; http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-13_sparc.deb

Las sumas MD5 de los ficheros que se listan están disponibles en el aviso original.