1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <title>Samba - Security Announcement Archive</title>
11 <H2>CVE-2007-0454: Format string bug in afsacl.so VFS plugin</H2>
15 ==========================================================
17 == Subject: Format string bug in afsacl.so VFS plugin.
18 == CVE ID#: CVE-2007-0454
20 == Versions: The AFS ACL mapping VFS plugin distributed
21 == in Samba 3.0.6 - 3.0.23d (inclusive)
23 == Summary: The name of a file on the server's share
24 == is used as the format string when setting
25 == an NT security descriptor through the
26 == afsacl.so VFS plugin.
28 ==========================================================
34 NOTE: This security advisory only impacts Samba servers
35 that share AFS file systems to CIFS clients and which have
36 been explicitly instructed in smb.conf to load the afsacl.so
39 The source defect results in the name of a file stored on
40 disk being used as the format string in a call to snprintf().
41 This bug becomes exploitable only when a user is able
42 to write to a share which utilizes Samba's afsacl.so library
43 for setting Windows NT access control lists on files residing
44 on an AFS file system.
51 A patch against Samba 3.0.23d has been attached to this
52 email. This fix has be incorporated into the Samba 3.0.24
53 release. Patches are also available from at the Samba Security
54 page (http://www.samba.org/samba/security).
61 An unpatched server may be protected by removing all
62 references to the afsacl.so VFS module from shares in
70 This vulnerability was reported (including a proposed patch)
71 to Samba developers by <zybadawg333@hushmail.com>. Much thanks
72 to zybadawg333 for the cooperation and patience in the
73 announcement of this defect. The time line is as follows:
75 * Jan 8, 2007: Defect first reported to the security@samba.org
77 * Jan 8, 2007: Initial developer response by Jeremy Allison
79 * Jan 29, 2007: Announcement to vendor-sec mailing list
80 * Feb 5, 2007: Public issue of security advisory.
83 ==========================================================
84 == Our Code, Our Bugs, Our Responsibility.
86 ==========================================================