Bug 6478 - smbclient interpolates % character in remote file name; CVE-2009-1886
Summary: smbclient interpolates % character in remote file name; CVE-2009-1886
Alias: None
Product: Samba 3.2
Classification: Unclassified
Component: Client tools (show other bugs)
Version: 3.2.7
Hardware: Other Linux
: P3 normal
Target Milestone: ---
Assignee: Volker Lendecke
QA Contact: Samba QA Contact
Depends on:
Reported: 2009-06-15 16:03 UTC by Reinhard Nißl
Modified: 2012-03-17 00:06 UTC (History)
0 users

See Also:

Patch for 3.2 (5.10 KB, patch)
2009-06-16 05:26 UTC, Volker Lendecke
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Reinhard Nißl 2009-06-15 16:03:14 UTC
Hi, I came across this issue in this binary:

rnissl@corei7:~> smbclient -V
Version 3.2.7-11.2.1-2080-SUSE-CODE11

To reproduce the issue, execute a command like that (the file in question aa%3Fbb shall exist on the remote server):

rnissl@corei7:~> echo 'get aa%3Fbb' | smbclient '//nb_merlin/c$' geheim -U administrator -W nb_merlin -I
Domain=[FEE] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \aa0,000000bb

See that %3F got interpolated to 0,000000.

The file can be retrieved by doubling the % but the retrieved file contains then %% in file name. As a workaround, one has to specify both remote and local filename, e. g. like that: get aa%%3Fbb aa%3Fbb

More obvious is a put:

smb: \> put aa%3Fbb
putting file aa%3Fbb as \aa0,000000bb (0,0 kb/s) (average 0,0 kb/s)

I came across this issue after updating a SuSE 9.1 system to openSUSE 11.1. Another system with openSUSE 10.3, running 3.0.28 doesn't show this issue.

Comment 1 Volker Lendecke 2009-06-16 05:26:41 UTC
Created attachment 4293 [details]
Patch for 3.2

Can you try this patch?

This is a 3.2 only issue, in 3.3 and beyond it's already fixed.


Comment 2 Reinhard Nißl 2009-06-16 14:24:32 UTC

the changes look ok to me. I hope, the openSUSE people release an updated samba_client package soon for testing.

Comment 3 Volker Lendecke 2009-07-15 09:32:13 UTC
This one made the recent security releases. Fixed now.


Comment 4 Volker Lendecke 2009-07-15 09:34:05 UTC
Really closing