CVE-2009-1886

Publication date 25 June 2009

Last updated 24 July 2024

Multiple format string vulnerabilities in client/client.c in smbclient in Samba 3.2.0 through 3.2.12 might allow context-dependent attackers to execute arbitrary code via format string specifiers in a filename.

Read the notes from the security team

Status

Show unmaintained releases

No maintained releases are affected by this CVE.

Package	Ubuntu Release	Status
samba	9.04 jaunty	Not affected
	8.10 intrepid	Fixed 2:3.2.3-1ubuntu3.6
	8.04 LTS hardy	Not affected
	6.06 LTS dapper	Not affected

Notes

jdstrand

priority low as the vulnerability is reduced to denial of service due to compiler hardening does not affect 3.0 or 3.3

mdeslaur

confirmed trapped by compiler hardening, although could still be a DoS for tools that use smbclient in an automated way, so marking as low priority

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
samba	Upstream: http://us3.samba.org/samba/ftp/patches/security/samba-3.2.12-CVE-2009-1886.patch

References

Related Ubuntu Security Notices (USN)