Bug#744153: pu: samba/2:3.6.6-6+deb7u3

[Adam D. Barratt]

Control: tags -1 + confirmed

On Thu, 2014-04-10 at 22:38 +0200, Ivo De Decker wrote:
 The attached patch fixes CVE-2012-6150 and CVE-2013-4496. Please accept it for
 wheezy.

Please go ahead; thanks.

Regards,

Adam


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#744153: pu: samba/2:3.6.6-6+deb7u3

[Ivo De Decker]

Hi Adam,

On Sun, Apr 13, 2014 at 12:21:02PM +0100, Adam D. Barratt wrote:
 On Thu, 2014-04-10 at 22:38 +0200, Ivo De Decker wrote:
  The attached patch fixes CVE-2012-6150 and CVE-2013-4496. Please accept it 
  for
  wheezy.
 
 Please go ahead; thanks.

Thanks, uploaded.

Cheers,

Ivo


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#744153: pu: samba/2:3.6.6-6+deb7u3

[Adam D. Barratt]

Control: tags -1 + pending

On Sun, 2014-04-13 at 21:49 +0200, Ivo De Decker wrote:
 On Sun, Apr 13, 2014 at 12:21:02PM +0100, Adam D. Barratt wrote:
  On Thu, 2014-04-10 at 22:38 +0200, Ivo De Decker wrote:
   The attached patch fixes CVE-2012-6150 and CVE-2013-4496. Please accept 
   it for
   wheezy.
  
  Please go ahead; thanks.
 
 Thanks, uploaded.

Flagged for acceptance.

Regards,

Adam


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#744153: pu: samba/2:3.6.6-6+deb7u3

[Ivo De Decker]

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,

The attached patch fixes CVE-2012-6150 and CVE-2013-4496. Please accept it for
wheezy.

Thanks in advance.

Cheers,

Ivo


diff -Nru samba-3.6.6/debian/changelog samba-3.6.6/debian/changelog
--- samba-3.6.6/debian/changelog2013-12-03 10:15:19.0 +0100
+++ samba-3.6.6/debian/changelog2014-04-10 21:46:25.0 +0200
@@ -1,3 +1,12 @@
+samba (2:3.6.6-6+deb7u3) wheezy; urgency=medium
+
+  * Security update
+  * CVE-2012-6150: pam_winbind login without require_membership_of
+restrictions
+  * CVE-2013-4496: Password lockout not enforced for SAMR password changes
+
+ -- Ivo De Decker ivo.dedec...@ugent.be  Thu, 10 Apr 2014 21:37:32 +0200
+
 samba (2:3.6.6-6+deb7u2) wheezy-security; urgency=high
 
   * Security update
diff -Nru samba-3.6.6/debian/patches/security-CVE-2012-6150.patch 
samba-3.6.6/debian/patches/security-CVE-2012-6150.patch
--- samba-3.6.6/debian/patches/security-CVE-2012-6150.patch 1970-01-01 
01:00:00.0 +0100
+++ samba-3.6.6/debian/patches/security-CVE-2012-6150.patch 2014-04-10 
21:45:48.0 +0200
@@ -0,0 +1,55 @@
+
+CVE-2012-6150:
+Winbind allows for the further restriction of authenticated PAM logins using
+the require_membership_of parameter. System administrators may specify a list
+of SIDs or groups for which an authenticated user must be a member of. If an
+authenticated user does not belong to any of the entries, then login should
+fail. Invalid group name entries are ignored.
+
+Samba versions 3.3.10, 3.4.3, 3.5.0 and later incorrectly allow login from
+authenticated users if the require_membership_of parameter specifies only
+invalid group names.
+
+This is a vulnerability with low impact. All require_membership_of group
+names must be invalid for this bug to be encountered.
+
+
+From f62683956a3b182f6a61cc7a2b4ada2e74cde243 Mon Sep 17 00:00:00 2001
+From: Noel Power noel.po...@suse.com
+Date: Wed, 16 Oct 2013 16:30:55 +0100
+Subject: [PATCH] fail authentication for single group name which cannot be
+ converted to sid
+
+furthermore if more than one name is supplied and no sid is converted
+then also fail.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=10300
+
+Signed-off-by: Noel Power noel.po...@suse.com
+Reviewed-by: Andreas Schneider a...@samba.org
+Reviewed-by: David Disseldorp dd...@samba.org
+[dd...@samba.org: fixed incorrect bugzilla tag I added to master commit]
+---
+ nsswitch/pam_winbind.c | 6 ++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
+index 9322971..cd5e7ba 100644
+--- a/nsswitch/pam_winbind.c
 b/nsswitch/pam_winbind.c
+@@ -1172,6 +1172,12 @@ static bool winbind_name_list_to_sid_string_list(struct 
pwb_context *ctx,
+   _make_remark_format(ctx, PAM_TEXT_INFO, _(Cannot convert group 
%s 
+   to sid, please contact your administrator to 
see 
+   if group %s is valid.), search_location, 
search_location);
++
++  /* If no valid groups were converted we should fail outright */
++  if (name_list != NULL  strlen(sid_list_buffer) == 0) {
++  result = false;
++  goto out;
++  }
+   /*
+* The lookup of the last name failed..
+* It results in require_member_of_sid ends with ','
+-- 
+1.8.1.4
+
diff -Nru samba-3.6.6/debian/patches/security-CVE-2013-4496.patch 
samba-3.6.6/debian/patches/security-CVE-2013-4496.patch
--- samba-3.6.6/debian/patches/security-CVE-2013-4496.patch 1970-01-01 
01:00:00.0 +0100
+++ samba-3.6.6/debian/patches/security-CVE-2013-4496.patch 2014-04-10 
21:45:48.0 +0200
@@ -0,0 +1,982 @@
+   ==
+   Release Notes for Samba 3.6.23
+   March 11, 2014
+   ==
+
+This is a security release in order to address
+CVE-2013-4496 (Password lockout not enforced for SAMR password changes).
+
+CVE-2013-4496:
+Samba versions 3.4.0 and above allow the administrator to implement
+locking out Samba accounts after a number of bad password attempts.
+
+However, all released versions of Samba did not implement this check for
+password changes, such as are available over multiple SAMR and RAP
+interfaces, allowing password guessing attacks.
+
+
+
+From 25066eb31d6608075b5993b0d19b3e0843cdadeb Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett abart...@samba.org
+Date: Fri, 1 Nov 2013 14:55:44 +1300
+Subject: [PATCH 1/3] CVE-2013-4496:s3-samr: Block attempts to crack passwords
+ via repeated password changes
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245
+
+Signed-off-by: Andrew Bartlett abart...@samba.org
+Signed-off-by: Stefan Metzmacher me...@samba.org
+Signed-off-by: Jeremy Allison