[Pkg-samba-maint] [samba] 01/02: add patch for CVE-2012-6150
Ivo De Decker
ivodd at moszumanska.debian.org
Thu Apr 10 20:19:04 UTC 2014
This is an automated email from the git hooks/post-receive script.
ivodd pushed a commit to branch wheezy
in repository samba.
commit 8fb8b9a5de36ac6e554c7ded5db19f722427f2a0
Author: Ivo De Decker <ivo.dedecker at ugent.be>
Date: Thu Apr 10 21:39:48 2014 +0200
add patch for CVE-2012-6150
pam_winbind login without require_membership_of restrictions
---
debian/changelog | 8 +++++
debian/patches/security-CVE-2012-6150.patch | 55 +++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 64 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index d21ad21..bda64d4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+samba (2:3.6.6-6+deb7u3) UNRELEASED; urgency=medium
+
+ * Security update
+ * CVE-2012-6150: pam_winbind login without require_membership_of
+ restrictions
+
+ -- Ivo De Decker <ivo.dedecker at ugent.be> Thu, 10 Apr 2014 21:37:32 +0200
+
samba (2:3.6.6-6+deb7u2) wheezy-security; urgency=high
* Security update
diff --git a/debian/patches/security-CVE-2012-6150.patch b/debian/patches/security-CVE-2012-6150.patch
new file mode 100644
index 0000000..11aface
--- /dev/null
+++ b/debian/patches/security-CVE-2012-6150.patch
@@ -0,0 +1,55 @@
+
+CVE-2012-6150:
+Winbind allows for the further restriction of authenticated PAM logins using
+the require_membership_of parameter. System administrators may specify a list
+of SIDs or groups for which an authenticated user must be a member of. If an
+authenticated user does not belong to any of the entries, then login should
+fail. Invalid group name entries are ignored.
+
+Samba versions 3.3.10, 3.4.3, 3.5.0 and later incorrectly allow login from
+authenticated users if the require_membership_of parameter specifies only
+invalid group names.
+
+This is a vulnerability with low impact. All require_membership_of group
+names must be invalid for this bug to be encountered.
+
+
+From f62683956a3b182f6a61cc7a2b4ada2e74cde243 Mon Sep 17 00:00:00 2001
+From: Noel Power <noel.power at suse.com>
+Date: Wed, 16 Oct 2013 16:30:55 +0100
+Subject: [PATCH] fail authentication for single group name which cannot be
+ converted to sid
+
+furthermore if more than one name is supplied and no sid is converted
+then also fail.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=10300
+
+Signed-off-by: Noel Power <noel.power at suse.com>
+Reviewed-by: Andreas Schneider <asn at samba.org>
+Reviewed-by: David Disseldorp <ddiss at samba.org>
+[ddiss at samba.org: fixed incorrect bugzilla tag I added to master commit]
+---
+ nsswitch/pam_winbind.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
+index 9322971..cd5e7ba 100644
+--- a/nsswitch/pam_winbind.c
++++ b/nsswitch/pam_winbind.c
+@@ -1172,6 +1172,12 @@ static bool winbind_name_list_to_sid_string_list(struct pwb_context *ctx,
+ _make_remark_format(ctx, PAM_TEXT_INFO, _("Cannot convert group %s "
+ "to sid, please contact your administrator to see "
+ "if group %s is valid."), search_location, search_location);
++
++ /* If no valid groups were converted we should fail outright */
++ if (name_list != NULL && strlen(sid_list_buffer) == 0) {
++ result = false;
++ goto out;
++ }
+ /*
+ * The lookup of the last name failed..
+ * It results in require_member_of_sid ends with ','
+--
+1.8.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 6d45860..b5e4935 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -27,3 +27,4 @@ security-CVE-2013-0214.patch
security-CVE-2013-4124.patch
security-CVE-2013-4475.patch
security-CVE-2013-4408.patch
+security-CVE-2012-6150.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git
More information about the Pkg-samba-maint
mailing list