Slashdot Mirror


Security Flaws In Linux SMBFS

An anonymous reader points out this SecurityFocus alert, which starts "The Linux kernel is reported susceptible to multiple remote vulnerabilities in the SMBFS network file system. These vulnerabilities may lead to the execution of attacker-supplied machine code, information disclosure of kernel memory, or kernel crashes, denying service to legitimate users. Versions of the kernel in both the 2.4, and the 2.6 series are reported susceptible to various issues."

6 of 347 comments (clear)

  1. Now... by bogaboga · · Score: 3, Insightful
    ...Linux zealots are going to run in defense of the [Linux] kernel. Come on guys, anything created by man will always have defects.

    Cb..

  2. Re:I'm glad this hit slashdot by waferhead · · Score: 3, Insightful

    This (parent)notice should be added to the headline as a public service.

  3. Re:Everyone makes mistakes by 13Echo · · Score: 4, Insightful

    The difference is that this is a POTENTIAL exploit. Not something that's been known for a long time but ignored to the point of mass-exploitation.

  4. Re:MS Technology by nacks1 · · Score: 5, Insightful

    "Most Linux-only users use NFS, which does not have these security holes."

    Yeah... it NFS just has plenty of holes of its own. I would be the first to say that I think that SMBFS is crap, but NFS isn't the network filesystem that we should be holding up as a good system to emulate.

  5. Re:But... by EvilAlien · · Score: 3, Insightful
    You don't need root, you just need local access so you can exploit all those vulnerabilities that get ignored because they aren't remotely exploitable.

    I don't know how many times I've heard clueless admins tell me that they aren't patching for something because its only exploitable locally...

    --
    perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'
  6. Re:Irony isn't something you dewrinkle clothes wit by ClosedSource · · Score: 3, Insightful

    You seem to be reaching here. If implementing the protocol safely is beyond the ability of Linux developers, then they shouldn't do it.

    More likely the truth is that smart developers for Linux and smart developers for MS make mistakes and will continue to do so. My only complaint is that there shouldn't be a double-standard.