Debian Samba vulnerabilities

CVE-2009-1886 [CRITICAL] CVE-2009-1886: samba - Multiple format string vulnerabilities in client/client.c in smbclient in Samba ... Multiple format string vulnerabilities in client/client.c in smbclient in Samba 3.2.0 through 3.2.12 might allow context-dependent attackers to execute arbitrary code via format string specifiers in a filename. Scope: local bookworm: resolved (fixed in 2:3.3.6-1) bullseye: resolved (fixed in 2:3.3.6-1) forky: resolved (fixed in 2:3.3.6-1) sid: resolved (fixed in 2:3

CVE-2009-2948 [LOW] CVE-2009-2948: samba - mount.cifs in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8 and 3... mount.cifs in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8 and 3.4 before 3.4.2, when mount.cifs is installed suid root, does not properly enforce permissions, which allows local users to read part of the credentials file and obtain the password by specifying the path to the credentials file and using the --verbose or -v option. Scope: local bookworm: res

CVE-2009-0022 [MEDIUM] CVE-2009-0022: samba - Samba 3.2.0 through 3.2.6, when registry shares are enabled, allows remote authe... Samba 3.2.0 through 3.2.6, when registry shares are enabled, allows remote authenticated users to access the root filesystem via a crafted connection request that specifies a blank share name. Scope: local bookworm: resolved (fixed in 2:3.2.5-3) bullseye: resolved (fixed in 2:3.2.5-3) forky: resolved (fixed in 2:3.2.5-3) sid: resolved (fixed in 2:3.2.5-3) trixie: reso

CVE-2009-2813 [MEDIUM] CVE-2009-2813: samba - Samba 3.4 before 3.4.2, 3.3 before 3.3.8, 3.2 before 3.2.15, and 3.0.12 through ... Samba 3.4 before 3.4.2, 3.3 before 3.3.8, 3.2 before 3.2.15, and 3.0.12 through 3.0.36, as used in the SMB subsystem in Apple Mac OS X 10.5.8 when Windows File Sharing is enabled, Fedora 11, and other operating systems, does not properly handle errors in resolving pathnames, which allows remote authenticated users to bypass intended sharing restrictions, and read, cre

CVE-2009-2906 [MEDIUM] CVE-2009-2906: samba - smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4 be... smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4 before 3.4.2 allows remote authenticated users to cause a denial of service (infinite loop) via an unanticipated oplock break notification reply packet. Scope: local bookworm: resolved (fixed in 2:3.4.2-1) bullseye: resolved (fixed in 2:3.4.2-1) forky: resolved (fixed in 2:3.4.2-1) sid: reso

CVE-2009-1888 [MEDIUM] CVE-2009-1888: samba - The acl_group_override function in smbd/posix_acls.c in smbd in Samba 3.0.x befo... The acl_group_override function in smbd/posix_acls.c in smbd in Samba 3.0.x before 3.0.35, 3.1.x and 3.2.x before 3.2.13, and 3.3.x before 3.3.6, when dos filemode is enabled, allows remote attackers to modify access control lists for files via vectors related to read access to uninitialized memory. Scope: local bookworm: resolved (fixed in 2:3.3.6-1) bullseye: resolv

CVE-2008-4314 [HIGH] CVE-2008-4314: samba - smbd in Samba 3.0.29 through 3.2.4 might allow remote attackers to read arbitrar... smbd in Samba 3.0.29 through 3.2.4 might allow remote attackers to read arbitrary memory and cause a denial of service via crafted (1) trans, (2) trans2, and (3) nttrans requests, related to a "cut&paste error" that causes an improper bounds check to be performed. Scope: local bookworm: resolved (fixed in 2:3.2.5-1) bullseye: resolved (fixed in 2:3.2.5-1) forky: resolve

CVE-2008-1105 [HIGH] CVE-2008-1105: samba - Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Sam... Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Samba 3.0.0 through 3.0.29 allows remote attackers to execute arbitrary code via a crafted SMB response. Scope: local bookworm: resolved (fixed in 1:3.0.30-1) bullseye: resolved (fixed in 1:3.0.30-1) forky: resolved (fixed in 1:3.0.30-1) sid: resolved (fixed in 1:3.0.30-1) trixie: resolved (fix

CVE-2008-3789 [LOW] CVE-2008-3789: samba - Samba 3.2.0 uses weak permissions (0666) for the (1) group_mapping.tdb and (2) g... Samba 3.2.0 uses weak permissions (0666) for the (1) group_mapping.tdb and (2) group_mapping.ldb files, which allows local users to modify the membership of Unix groups. Scope: local bookworm: resolved (fixed in 2:3.2.3-1) bullseye: resolved (fixed in 2:3.2.3-1) forky: resolved (fixed in 2:3.2.3-1) sid: resolved (fixed in 2:3.2.3-1) trixie: resolved (fixed in 2:3.2.3-1)

CVE-2007-4572 [CRITICAL] CVE-2007-4572: samba - Stack-based buffer overflow in nmbd in Samba 3.0.0 through 3.0.26a, when configu... Stack-based buffer overflow in nmbd in Samba 3.0.0 through 3.0.26a, when configured as a Primary or Backup Domain controller, allows remote attackers to have an unknown impact via crafted GETDC mailslot requests, related to handling of GETDC logon server requests. Scope: local bookworm: resolved (fixed in 3.0.27-1) bullseye: resolved (fixed in 3.0.27-1) forky: resol

CVE-2007-2444 [HIGH] CVE-2007-2444: samba - Logic error in the SID/Name translation functionality in smbd in Samba 3.0.23d t... Logic error in the SID/Name translation functionality in smbd in Samba 3.0.23d through 3.0.25pre2 allows local users to gain temporary privileges and execute SMB/CIFS protocol operations via unspecified vectors that cause the daemon to transition to the root user. Scope: local bookworm: resolved (fixed in 3.0.25-1) bullseye: resolved (fixed in 3.0.25-1) forky: resolved

CVE-2007-6015 [CRITICAL] CVE-2007-6015: samba - Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0... Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0 through 3.0.27a, when the "domain logons" option is enabled, allows remote attackers to execute arbitrary code via a GETDC mailslot request composed of a long GETDC string following an offset username in a SAMLOGON logon request. Scope: local bookworm: resolved (fixed in 3.0.28-1) bulls

CVE-2007-2446 [CRITICAL] CVE-2007-2446: samba - Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 t... Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5

CVE-2007-5398 [CRITICAL] CVE-2007-5398: samba - Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_pa... Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS server, allows remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request. Scope: local bookworm: resolved (fixed in 3.0.27-1) bullseye: resolved (fi

CVE-2007-2447 [MEDIUM] CVE-2007-2447: samba - The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote ... The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the "username map script" smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in

CVE-2007-4138 [MEDIUM] CVE-2007-4138: samba - The Winbind nss_info extension (nsswitch/idmap_ad.c) in idmap_ad.so in Samba 3.0... The Winbind nss_info extension (nsswitch/idmap_ad.c) in idmap_ad.so in Samba 3.0.25 through 3.0.25c, when the "winbind nss info" option is set to rfc2307 or sfu, grants all local users the privileges of gid 0 when the (1) RFC2307 or (2) Services for UNIX (SFU) primary group attribute is not defined. Scope: local bookworm: resolved (fixed in 3.0.26-1) bullseye: resolve

CVE-2007-0454 [HIGH] CVE-2007-0454: samba - Format string vulnerability in the afsacl.so VFS module in Samba 3.0.6 through 3... Format string vulnerability in the afsacl.so VFS module in Samba 3.0.6 through 3.0.23d allows context-dependent attackers to execute arbitrary code via format string specifiers in a filename on an AFS file system, which is not properly handled during Windows ACL mapping. Scope: local bookworm: resolved (fixed in 3.0.23d-5) bullseye: resolved (fixed in 3.0.23d-5) forky:

CVE-2007-0453 [MEDIUM] CVE-2007-0453: samba - Buffer overflow in the nss_winbind.so.1 library in Samba 3.0.21 through 3.0.23d,... Buffer overflow in the nss_winbind.so.1 library in Samba 3.0.21 through 3.0.23d, as used in the winbindd daemon on Solaris, allows attackers to execute arbitrary code via the (1) gethostbyname and (2) getipnodebyname functions. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2007-2407 [MEDIUM] CVE-2007-2407: samba - The Samba server on Apple Mac OS X 10.3.9 and 10.4.10, when Windows file sharing... The Samba server on Apple Mac OS X 10.3.9 and 10.4.10, when Windows file sharing is enabled, does not enforce disk quotas after dropping privileges, which allows remote authenticated users to use disk space in excess of quota. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2007-0452 [MEDIUM] CVE-2007-0452: samba - smbd in Samba 3.0.6 through 3.0.23d allows remote authenticated users to cause a... smbd in Samba 3.0.6 through 3.0.23d allows remote authenticated users to cause a denial of service (memory and CPU exhaustion) by renaming a file in a way that prevents a request from being removed from the deferred open queue, which triggers an infinite loop. Scope: local bookworm: resolved (fixed in 3.0.23d-5) bullseye: resolved (fixed in 3.0.23d-5) forky: resolved