Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 493664 (CVE-2012-6150) - <net-fs/samba-{3.6.22,4.0.13,4.1.3}: two vulnerabilities (CVE-2012-6150, CVE-2013-4408)
Summary: <net-fs/samba-{3.6.22,4.0.13,4.1.3}: two vulnerabilities (CVE-2012-6150, CVE-...
Status: RESOLVED FIXED
Alias: CVE-2012-6150
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa]
Keywords:
: 493726 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-12-08 15:02 UTC by Agostino Sarubbo
Modified: 2015-02-26 08:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-12-08 15:02:57 UTC
From ${URL} :

It was reported [1] that Samba's pam_winbind module would fail open (allowing access) when the 
require_membership_of option is used as an argument to pam_winbind, and contains a non-existent 
group as the value.  In such a configuration, rather then failing and not permitting authentication 
which is what would be expected, pam_winbind will allow authentication to proceed.

For instance, if the following is specified and the user is not a member of the group 'Admin', they 
will not obtain access to the system:

auth        sufficient    pam_winbind.so use_first_pass require_membership_of=Admin

On the other hand, if the non-existent group 'AdminOops' is specified, the user is obviously not a 
member of said group, authentication will be permitted:

auth        sufficient    pam_winbind.so use_first_pass require_membership_of=AdminOops

The commit [2] that most likely introduced this flaw indicates that this was introduced October 
2009 and another commit [3] looks like the fix, although that is for another bug [4] that's 
somewhat related to this issue and somewhat not.


[1] https://lists.samba.org/archive/samba-technical/2012-June/084593.html
[2] http://git.samba.org/?p=samba.git;a=commit;h=31f1a36901b5b8959dc51401c09c114829b50392
[3] http://git.samba.org/?p=samba.git;a=commitdiff;h=f62683956a3b182f6a61cc7a2b4ada2e74cde243
[4] https://bugzilla.samba.org/show_bug.cgi?id=8598


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-12-09 06:16:24 UTC
CVE-2012-6150 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6150):
  The winbind_name_list_to_sid_string_list function in nsswitch/pam_winbind.c
  in Samba through 4.1.2 handles invalid require_membership_of group names by
  accepting authentication by any user, which allows remote authenticated
  users to bypass intended access restrictions in opportunistic circumstances
  by leveraging an administrator's pam_winbind configuration-file mistake.
Comment 2 Agostino Sarubbo gentoo-dev 2013-12-09 09:10:00 UTC
*** Bug 493726 has been marked as a duplicate of this bug. ***
Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2013-12-09 09:14:55 UTC
+*samba-4.1.3 (09 Dec 2013)
+*samba-4.0.13 (09 Dec 2013)
+*samba-3.6.22 (09 Dec 2013)
+
+  09 Dec 2013; Lars Wendler <polynomial-c@gentoo.org> +samba-3.6.22.ebuild,
+  -samba-4.0.11.ebuild, +samba-4.0.13.ebuild, -samba-4.1.1.ebuild,
+  +samba-4.1.3.ebuild:
+  Security bump (bug #493726). Removed old.
+
Comment 4 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2013-12-13 13:59:17 UTC
Arches please test and mark stable =net-fs/samba-3.6.22.

Target KEYWORDS are:
alpha amd64 arm hppa ia64 ~mips ppc ppc64 sparc x86 ~amd64-fbsd ~x86-fbsd ~arm-linux ~x86-linux
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2013-12-14 15:37:21 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2013-12-15 19:02:26 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-12-15 19:02:40 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-12-15 19:02:54 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-12-15 19:03:06 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-12-15 19:25:07 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-12-15 19:25:19 UTC
sparc stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-12-23 14:26:09 UTC
alpha stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-01-12 13:17:49 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2014-05-21 04:10:23 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2015-02-26 08:59:07 UTC
This issue was resolved and addressed in
 GLSA 201502-15 at http://security.gentoo.org/glsa/glsa-201502-15.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).