Quoting Steve Langasek ([email protected]): Thanks for helping out on that issue. It was very clearly going beyond my skills and knowledge. This is why we have a team..:-)
> The tarball attached to your earlier mail includes a number of patches that > are not related to bug #6853, and which have not been posted to bug #6853. > Where did you get this tarball? https://bugzilla.samba.org/show_bug.cgi?id=6853#c13 Indeed that bug report is quite messy and really mixes many things together, hence /me being puzzled. > In particular, the patches > 0001-Revert-cifs-mount-did-not-properly-display-version-s.patch, > 0002-s3-mount.cifs-make-mount.cifs-V-print-the-version-no.patch, and > 0003-mount.cifs-directly-include-sys-stat.h-in-mtab.c.patch are unrelated to > either of the identified security issues and should not be applied to > stable; and 0004-mount.cifs-properly-check-for-mount-being-in-fstab-w.patch > and 0007-mount.cifs-don-t-allow-it-to-be-run-as-setuid-root-p.patch > deliberately change the behavior of mount.cifs with the rationale that > allowing users to mount shares on directories they own, or shipping > mount.cifs suid-root, is not "safe", which is upstream backpedalling on > previous design decisions and not related to either of the CVEs. > > The only patches that are relevant for stable are > 0005-mount.cifs-take-extra-care-that-mountpoint-isn-t-cha.patch and > 0006-mount.cifs-check-for-invalid-characters-in-device-na.patch, > corresponding to CVE-2009-3297 and CVE-2010-0547 respectively. I've applied > these to the lenny package and will be uploading to the lenny security queue > shortly. Ack. THanks for your time and work on this hairy issue.
signature.asc
Description: Digital signature
