From ${URL} : It was reported [1] that Samba's pam_winbind module would fail open (allowing access) when the require_membership_of option is used as an argument to pam_winbind, and contains a non-existent group as the value. In such a configuration, rather then failing and not permitting authentication which is what would be expected, pam_winbind will allow authentication to proceed. For instance, if the following is specified and the user is not a member of the group 'Admin', they will not obtain access to the system: auth sufficient pam_winbind.so use_first_pass require_membership_of=Admin On the other hand, if the non-existent group 'AdminOops' is specified, the user is obviously not a member of said group, authentication will be permitted: auth sufficient pam_winbind.so use_first_pass require_membership_of=AdminOops The commit [2] that most likely introduced this flaw indicates that this was introduced October 2009 and another commit [3] looks like the fix, although that is for another bug [4] that's somewhat related to this issue and somewhat not. [1] https://lists.samba.org/archive/samba-technical/2012-June/084593.html [2] http://git.samba.org/?p=samba.git;a=commit;h=31f1a36901b5b8959dc51401c09c114829b50392 [3] http://git.samba.org/?p=samba.git;a=commitdiff;h=f62683956a3b182f6a61cc7a2b4ada2e74cde243 [4] https://bugzilla.samba.org/show_bug.cgi?id=8598 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2012-6150 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6150): The winbind_name_list_to_sid_string_list function in nsswitch/pam_winbind.c in Samba through 4.1.2 handles invalid require_membership_of group names by accepting authentication by any user, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by leveraging an administrator's pam_winbind configuration-file mistake.
*** Bug 493726 has been marked as a duplicate of this bug. ***
+*samba-4.1.3 (09 Dec 2013) +*samba-4.0.13 (09 Dec 2013) +*samba-3.6.22 (09 Dec 2013) + + 09 Dec 2013; Lars Wendler <polynomial-c@gentoo.org> +samba-3.6.22.ebuild, + -samba-4.0.11.ebuild, +samba-4.0.13.ebuild, -samba-4.1.1.ebuild, + +samba-4.1.3.ebuild: + Security bump (bug #493726). Removed old. +
Arches please test and mark stable =net-fs/samba-3.6.22. Target KEYWORDS are: alpha amd64 arm hppa ia64 ~mips ppc ppc64 sparc x86 ~amd64-fbsd ~x86-fbsd ~arm-linux ~x86-linux
Stable for HPPA.
amd64 stable
x86 stable
ppc stable
ppc64 stable
arm stable
sparc stable
alpha stable
ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Arches and Maintainer(s), Thank you for your work. New GLSA Request filed.
This issue was resolved and addressed in GLSA 201502-15 at http://security.gentoo.org/glsa/glsa-201502-15.xml by GLSA coordinator Kristian Fiskerstrand (K_F).