Package: samba Severity: grave Tags: security Hi, it was discovered that mount.cifs is doing a chdir to the specified directory before the fstab file is actually checked. Since mount.cifs is (also on Debian) installed as setuid, this allows an attacker to use the program to enumerate the existence of files/directories on the system by checking for the existence of the error response.
I don't have time to write a patch now or to test that, but a quick look at mount.cifs.c suggests that this can be fixed just by changing the order of the execution. Reference https://bugzilla.samba.org/show_bug.cgi?id=8821 Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
pgpt1urDOvq8y.pgp
Description: PGP signature
