CVE-2009-1886: Formatstring vulnerability in smbclient

==========================================================
== Subject:     Formatstring vulnerability in smbclient
==
== CVE ID#:	CVE-2009-1886
==
== Versions:    Samba 3.2.0 - 3.2.12 (inclusive)
==
== Summary:     The smbclient commands dealing with file
==              names treat user input as a format string
==              to asprintf.
==========================================================

===========
Description
===========

The smbclient utility in Samba 3.2.0 - 3.2.12 contains a
formatstring vulnerability where commands dealing with
file names treat user input as format strings to asprintf.

An example is:

smb: \> put aa%3Fbb
putting file aa%3Fbb as \aa0,000000bb (0,0 kb/s) (average 0,0 kb/s)

As is obvious, "aa%3Fbb" is interpreted as a format string.
With a maliciously crafted file name smbclient can be made
to execute code triggered by the server.

The attack from our point of view is rather unlikely because
the malicious filename has to be entered by the user. If smbclient
is used within scripts, an attack becomes possible.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 3.2.13 has been issued as a security
release to correct the defect. Samba administrators are
advised to upgrade to 3.2.13 or apply the patch as soon
as possible when.


==========
Workaround
==========

No workaround is available at this time.


=======
Credits
=======

This issue was found and reported to the Samba Team by
Reinhard Nißl <rnissl@gmx.de> as
https://bugzilla.samba.org/show_bug.cgi?id=6478

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================