The Samba Team reports:
A bug in the local SID/Name translation routines may
potentially result in a user being able to issue SMB/CIFS
protocol operations as root.
When translating SIDs to/from names using Samba local
list of user and group accounts, a logic error in the smbd
daemon's internal security stack may result in a
transition to the root user id rather than the non-root
user. The user is then able to temporarily issue SMB/CIFS
protocol operations as the root user. This window of
opportunity may allow the attacker to establish additional
means of gaining root access to the server.
Various bugs in Samba's NDR parsing can allow a user to
send specially crafted MS-RPC requests that will overwrite
the heap space with user defined data.
Unescaped user input parameters are passed as arguments
to /bin/sh allowing for remote command execution.
This bug was originally reported against the anonymous
calls to the SamrChangePassword() MS-RPC function in
combination with the "username map script" smb.conf option
(which is not enabled by default).
After further investigation by Samba developers, it was
determined that the problem was much broader and impacts
remote printer and file share management as well. The
root cause is passing unfiltered user input provided via
MS-RPC calls to /bin/sh when invoking externals scripts
defined in smb.conf. However, unlike the "username map
script" vulnerability, the remote file and printer
management scripts require an authenticated user
session.