severity 665923 important reassign 665923 cifs-utils thanks On Tue, Mar 27, 2012 at 04:43:41AM +0200, Nico Golde wrote: > Hi, it was discovered that mount.cifs is doing a chdir to the specified > directory before the fstab file is actually checked. Since mount.cifs is > (also on Debian) installed as setuid, this allows an attacker to use the > program to enumerate the existence of files/directories on the system by > checking for the existence of the error response.
> I don't have time to write a patch now or to test that, but a quick look > at mount.cifs.c suggests that this can be fixed just by changing the order > of the execution. How does an information leak about the names of files qualify as a "grave" bug? This doesn't seem consistent with <http://www.debian.org/Bugs/Developer#severities> to me. Also, mount.cifs doesn't come from the samba source anymore; reassigning to cifs-utils. Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: Digital signature
