Bug#310982: plan to include in sarge 2.4 update

[Bill Allombert <allomber@math.u-bordeaux.fr>]

On Wed, Nov 15, 2006 at 05:54:52PM -0700, dann frazier wrote:
> On Mon, Nov 13, 2006 at 12:22:59PM -0800, Steve Langasek wrote:
> > Yes, because this is a kernel security bug.  The smbmount patch was
> > entertained pre-sarge only as a stopgap due to the proximity to release; the
> > right place to fix this is still in the kernel (upstream as appropriate).
> 
> I've done some testing and verified that 2.6.18 honors uid= and 2.6.8
> does not. It looks like this was fixed upstream:
>   http://linux.bkbits.net:8080/linux-2.6/cset@41752f820crlhkG3FzR1EMmg1OxskA?nav=index.html|src/|src/fs|src/fs/smbfs|related/fs/smbfs/inode.c
> 
> So, I plan to use this patch for 2.6.8, and attempt to backport it to
> 2.4.27. If backporting becomes overly complicated/risky, I'll revert
> to using something like Horms' patch. I'll also see about getting a
> CVE assigned.
> 
> Everyone cool with this plan?

I am a bit concerned by the comment in the link you posted:

   To fully work, some modifications are needed to samba smbmount.c and
   smbmnt.c files.  Those patches are available at Samba and Kernel Bug
   Tracker pages.
   After those patches, if the user do not supply any of the parameters a
   bove,
   the uid, gid, file_mode and dir_mode on the server will be used by the
   client.

Did I understand correctly we would need to also patch samba ? 

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large blue swirl here.