[Bug 978458] Re: CVE-2012-1182: "root" credential remote code execution

[Tyler Hicks]

Ok, now I see that the 3.6 upstream branch places the samba3-idl target
underneath 'make all', so I assume that they are now relying on the code
generation to happen at build time. Can you confirm this, Jelmer?

If that's the case, then we probably do want to follow that convention
in our 3.6.x and later packages (currently only found in Precise). The
reason is that if we don't do it at build time, but upstream does, one
of their patches that we cherry-pick could theoritically need to be ran
through PIDL to make proper changes. I _think_ that's the case, but I'm
still not quite knowldgeable on the PIDL compiler to know for sure.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/978458

Title:
  CVE-2012-1182: "root" credential remote code execution

Status in “samba” package in Ubuntu:
  In Progress
Status in “samba” source package in Lucid:
  In Progress
Status in “samba” source package in Natty:
  In Progress
Status in “samba” source package in Oneiric:
  In Progress
Status in “samba” source package in Precise:
  In Progress
Status in “samba” source package in Hardy:
  In Progress
Status in “samba” package in CentOS:
  Unknown
Status in “samba” package in Debian:
  New
Status in “samba” package in Fedora:
  Unknown

Bug description:
  CVE-2012-1182 was recently made public for a remote, unauthenticated,
  root code execution flaw in most samba versions 3.0+:

  https://www.samba.org/samba/security/CVE-2012-1182

  I believe Ubuntu's packages to be vulnerable.  As the CVE is already
  public and patches are in the wild, I am flagging this as a security
  vulnerability but will un-privatize it shortly.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/978458/+subscriptions