Red Hat did not consider this a security issue because of the following reply to our question regarding severity and exploitability:
On Thu, 2007-01-25 at 11:46 -0600, Steven French wrote: > > I am not aware of any problem with malformed filenames - this is a much > more limited issue although perhaps could cause slight memory corruption > (it is hard to imagine it being more than a few bytes because the length of > the variable area of the smb is checked, and the domain name field in the > session structure it is copied into is information), and probably should be > added to 2.6.16.x. 2.6.17.x etc. > > This affects mount time only (the first mount to a server establishes an > SMB connection, "session," for which the server response includes a domain > name as the last field. If the domain name is not null terminated > (Windows has a bug in only appending one rather than two bytes for this > particular Unicode, UCS-16, string). Thus -- this needs voluntary cooperation of user who already has root provileges (mount a smb share) and can cause a harmless oops triggerable only at mount time. Regards, -- Lubomir Kundrak (Red Hat Security Response Team) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
