Debian Security Advisory

DSA-1291-1 samba -- several vulnerabilities

Date Reported:
15 May 2007
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2007-2444, CVE-2007-2446, CVE-2007-2447.
More information:

Several issues have been identified in Samba, the SMB/CIFS file- and print-server implementation for GNU/Linux.

  • CVE-2007-2444

    When translating SIDs to/from names using Samba local list of user and group accounts, a logic error in the smbd daemon's internal security stack may result in a transition to the root user id rather than the non-root user. The user is then able to temporarily issue SMB/CIFS protocol operations as the root user. This window of opportunity may allow the attacker to establish addition means of gaining root access to the server.

  • CVE-2007-2446

    Various bugs in Samba's NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data.

  • CVE-2007-2447

    Unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution.

For the stable distribution (etch), these problems have been fixed in version 3.0.24-6etch1.

For the testing and unstable distributions (lenny and sid, respectively), these problems have been fixed in version 3.0.25-1.

We recommend that you upgrade your samba package.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Architecture-independent component:
Intel IA-32:
Intel IA-64:
Big-endian MIPS:
Little-endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.