Note: This is an archival copy of Security Sun Alert 200529 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000404.1.
Article ID : 1000404.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-01-19
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability When Samba Trims Certain Directory Names Down to Absolute Paths

Category
Security

Release Phase
Resolved

Bug Id
6202495

Date of Resolved Release
18-JAN-2005

Impact

Under certain circumstances Samba will trim paths to be absolute paths, which could allow a remote unprivileged user to bypass the specified share restrictions and access arbitrary files and directories on the system.

Note: The Samba software suite is a collection of programs that implements the Server Message Block (SMB) protocol for UNIX systems. This protocol is sometimes also referred to as the Common Internet File System (CIFS), LanManager, or NetBIOS protocol.

This issue is also described in the following document:

CAN-2004-0815 at http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0815.


Contributing Factors

This issue can occur in the following releases:

Linux Platform

  • Sun Java Desktop System (JDS) 2003 without the updated RPMs (patch-9397)
  • Sun Java Desktop System (JDS) Release 2 without the updated RPMs (patch-9397)

with the following Samba versions:

  • Samba 2.2.5-242 or earlier
  • Samba Client 2.2.5-242

To determine the release of JDS for Linux installed on a system, the following command can be run: 

    % cat /etc/sun-release
Sun Java Desktop System, Release 2 -build 10b (GA)
Assembled 30 March 2004

To determine the version of Samba, the following command can be run: 

    % rpm -qf /usr/bin/smbstatus
samba-2.2.5-242

To determine the version of Samba-client, the following command can be run: 

    % rpm -qf /usr/bin/findsmb
samba-client-2.2.5-242

Symptoms

There are no reliable symptoms that would indicate the described issue has been exploited.


Workaround

Samba file shares with "wide links = no" (a non-default setting) in the service definition in "smb.conf" are not vulnerable to this attack. It is highly recommended that "wide links" be set to "no" if at all possible.


Resolution

Linux Platform

  • Sun Java Desktop System (JDS) 2003 with the updated RPMs (patch-9397)
  • Sun Java Desktop System (JDS) Release 2 with the updated RPMs (patch-9397)

To download and install the updated RPMs from the update servers, select the following from the "launch" bar: 

    Launch >> Applications >> System Tools >> Online Update

For more information on obtaining updates, please see the following documents:



Product
Sun Java Desktop System Release 2
































Attachments
This solution has no attachment