Slashdot Mirror
Samba Exploit Discovered, Fixed
An anonymous reader submits: "Digital Defense reported a remote root vulnerability in Samba that has existed in Samba source code for over 8 years. If it hadn't been caught from a wild packet capture, who knows how many more years it might have gone on. Fixes for this, and at least three other vulnerabilities have been fixed today. This is a serious threat to many thousands of people.. Did you plan to spend your Monday upgrading to Samba 2.2.8a?"
elijahao supplies some more information: "All stable versions are affected (2.x), but the 3.0 series is not. Here is a link to the News page. Check out a mirror near you to get the Source or Security patches from 2.2.7a, 2.2.8, or 2.0.10."
Your wife is cheating on you... It wouldn't have been a problem, but you just HAD to hire a Private Investigator...
I could not agree more! SLAYER!!!
The Samba site actually mentions that an active exploit is already out there. Hopefully most people are running Samba in hard-to-reach places, but this definitely is a large problem. This is one I wouldn't let slide for more than oh, say... the next 30 minutes.
I think its a good thing. Instead of these bugs being found by the "wrong" people these are found and fixed before anyone can mess up production systems. This, if anything, shows the strength of OSS. It gets fixed quickly.
So tell me when the last time was you sued Microsoft,
:-).
Oracle or Sun for your losses in the real world and
won any damages ?
In Open Source you know who messed up. You have their
email address and phone number. You have a basis for
trust or not based on past reputation/performance.
You have *no idea* who wrote any of the Microsoft code,
or any other proprietary code - and no recourse to fix
problems that cause you losses other than to beg the
vendor for a fix.
And you'd better ask nicely, in case you don't give
them enough money.
Good luck on getting your damages from Microsoft for
the last virus outbreak, you're going to need it
Jeremy Allison,
Samba Team.
Uhhm, his job is to write a Windows compliant SMB server. Needless to say, part of his job is figuring out how MS's server works- as MS doesn't follow their own spec for CIFS. Naturally, in the course of analyzing this, he would find situations where MS's SMB support is broken. In the past, Samba has had to intentionally 'break' certain functionality to match how some implementations Windows SMB/CIFS functionality is 'broken'.
What's your personal problem with him, anyway? Did he violate you with his magical code-auditing-and-fixing wand instead of using it on his code?
No, I'm not a joke, just a software engineering professional.
I have to catalogue Microsoft bugs as Samba has to
interoperate with some of them (if you'd ever looked
at Samba code you'd know what we sometimes have to
do to work around Microsoft bugs).
Yes, I sometimes screw up and write bad code, as does
every software engineer I've ever worked with.
With Open Source, you get to see such things in public,
rather than being hidden. Even though this was my
problem I know which way of developing code I prefer,
and I've developed my share of proprietary code in
my time...
Jeremy Allison,
Samba Team.
Well I don't want to describe them as I don't want
to give any crackers ideas on how to exploit them.
Microsoft know and they are the only people who can
do anything about it, it's *their* code, not mine
Me describing the problem to you will make the problem
worse, not better.
If people find bugs in my code I want them to tell me
and I fix them asap. If they are security related I
want them to give me warning first before going public.
This is what we have done with Microsoft, it's the
responsible, professional thing to do. What gets done
about it is *their* decision, not mine (or yours).
Jeremy Allison,
Samba Team.
Well, as I posted above, I think the reason no one
looked at the code is because it worked as written
with the most common clients (Microsoft ones).
We, the Linux vendors and just about everyone else
who uses Samba audits the code regularly, but this
one got missed by everyone but the bad guys. Sometimes
that happens. Life just *sucks* sometimes.
Everytime we get a problem we always go through and
look for instances of this class of problem (that's
how I spent my weekend) but I'm afraid no code is
perfect.
Jeremy Allison,
Samba Team.
Open source provides the opportunity for many eyes to audit the code. It does not guarantee that it will happen.
On the bright side, if Samba weren't open source, we might never have found this problem at all, and the fix would not have come so soon after the flaw was discovered.
We had a fix within 1 hour of the problem being
reported, and that was mainly due to mail propagation
delays from Australia ! We had to co-ordinate the
release with all the Samba vendors, that's what took
the time.
Your point about code auditing is incorrect. No company
pays the sort of money needed to do the amount of code
auditing a major OSS project gets *for free* by the
vendor community. Yes, they could do this, but proprietary
software companies simply don't spend the money on engineering
resources to be used in this way. Not even Microsoft.
Jeremy Allison,
Samba Team.