Debian Security Advisory

DSA-048-3 samba -- symlink attack

Date Reported:
09 May 2001
Affected Packages:
Security database references:
In the Bugtraq database (at SecurityFocus): BugTraq ID 2617.
In Mitre's CVE dictionary: CVE-2001-0406.
More information:
Marcus Meissner discovered that samba was not creating temporary files safely in two places:
  • when a remote user queried a printer queue samba would create a temporary file in which the queue data would be written. This was being done using a predictable filename, and insecurely, allowing a local attacker to trick samba into overwriting arbitrary files.
  • smbclient "more" and "mput" commands also created temporary files in /tmp insecurely.

Both problems have been fixed in version 2.0.7-3.2, and we recommend that you upgrade your samba package immediately. (This problem is also fixed in the Samba 2.2 codebase.)

Note: DSA-048-1 included an incorrectly compiled sparc package, which the second edition fixed.

The third edition of the advisory was made because Marc Jacobsen from HP discovered that the security fixes from samba 2.0.8 did not fully fix the /tmp symlink attack problem. The samba team released version 2.0.9 to fix that, and those fixes have been added to version 2.0.7-3.3 of the Debian samba packages.

Fixed in:

Debian GNU/Linux 2.2 (potato)

Architecture-independent component:
Intel IA-32:
Motorola 680x0:
Sun Sparc: