Bug#744153: pu: samba/2:3.6.6-6+deb7u3

2014-04-13 Thread Adam D. Barratt 
Control: tags -1 + pending

On Sun, 2014-04-13 at 21:49 +0200, Ivo De Decker wrote:
> On Sun, Apr 13, 2014 at 12:21:02PM +0100, Adam D. Barratt wrote:
> > On Thu, 2014-04-10 at 22:38 +0200, Ivo De Decker wrote:
> > > The attached patch fixes CVE-2012-6150 and CVE-2013-4496. Please accept 
> > > it for
> > > wheezy.
> > 
> > Please go ahead; thanks.
> 
> Thanks, uploaded.

Flagged for acceptance.

Regards,

Adam


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/1397421679.24647.52.ca...@jacala.jungle.funky-badger.org

Processed: Re: Bug#744153: pu: samba/2:3.6.6-6+deb7u3

2014-04-13 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + pending
Bug #744153 [release.debian.org] pu: samba/2:3.6.6-6+deb7u3
Added tag(s) pending.

-- 
744153: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744153
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/handler.s.b744153.13974216874592.transcr...@bugs.debian.org

Bug#744153: pu: samba/2:3.6.6-6+deb7u3

2014-04-13 Thread Ivo De Decker 
Hi Adam,

On Sun, Apr 13, 2014 at 12:21:02PM +0100, Adam D. Barratt wrote:
> On Thu, 2014-04-10 at 22:38 +0200, Ivo De Decker wrote:
> > The attached patch fixes CVE-2012-6150 and CVE-2013-4496. Please accept it 
> > for
> > wheezy.
> 
> Please go ahead; thanks.

Thanks, uploaded.

Cheers,

Ivo


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140413194904.ga8...@ugent.be

Processed: Re: Bug#744153: pu: samba/2:3.6.6-6+deb7u3

2014-04-13 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed
Bug #744153 [release.debian.org] pu: samba/2:3.6.6-6+deb7u3
Added tag(s) confirmed.

-- 
744153: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744153
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/handler.s.b744153.139738807030455.transcr...@bugs.debian.org

Bug#744153: pu: samba/2:3.6.6-6+deb7u3

2014-04-13 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Thu, 2014-04-10 at 22:38 +0200, Ivo De Decker wrote:
> The attached patch fixes CVE-2012-6150 and CVE-2013-4496. Please accept it for
> wheezy.

Please go ahead; thanks.

Regards,

Adam


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/1397388062.24647.11.ca...@jacala.jungle.funky-badger.org

Bug#744153: pu: samba/2:3.6.6-6+deb7u3

2014-04-10 Thread Ivo De Decker 
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,

The attached patch fixes CVE-2012-6150 and CVE-2013-4496. Please accept it for
wheezy.

Thanks in advance.

Cheers,

Ivo


diff -Nru samba-3.6.6/debian/changelog samba-3.6.6/debian/changelog
--- samba-3.6.6/debian/changelog2013-12-03 10:15:19.0 +0100
+++ samba-3.6.6/debian/changelog2014-04-10 21:46:25.0 +0200
@@ -1,3 +1,12 @@
+samba (2:3.6.6-6+deb7u3) wheezy; urgency=medium
+
+  * Security update
+  * CVE-2012-6150: pam_winbind login without require_membership_of
+restrictions
+  * CVE-2013-4496: Password lockout not enforced for SAMR password changes
+
+ -- Ivo De Decker   Thu, 10 Apr 2014 21:37:32 +0200
+
 samba (2:3.6.6-6+deb7u2) wheezy-security; urgency=high
 
   * Security update
diff -Nru samba-3.6.6/debian/patches/security-CVE-2012-6150.patch 
samba-3.6.6/debian/patches/security-CVE-2012-6150.patch
--- samba-3.6.6/debian/patches/security-CVE-2012-6150.patch 1970-01-01 
01:00:00.0 +0100
+++ samba-3.6.6/debian/patches/security-CVE-2012-6150.patch 2014-04-10 
21:45:48.0 +0200
@@ -0,0 +1,55 @@
+
+CVE-2012-6150:
+Winbind allows for the further restriction of authenticated PAM logins using
+the require_membership_of parameter. System administrators may specify a list
+of SIDs or groups for which an authenticated user must be a member of. If an
+authenticated user does not belong to any of the entries, then login should
+fail. Invalid group name entries are ignored.
+
+Samba versions 3.3.10, 3.4.3, 3.5.0 and later incorrectly allow login from
+authenticated users if the require_membership_of parameter specifies only
+invalid group names.
+
+This is a vulnerability with low impact. All require_membership_of group
+names must be invalid for this bug to be encountered.
+
+
+From f62683956a3b182f6a61cc7a2b4ada2e74cde243 Mon Sep 17 00:00:00 2001
+From: Noel Power 
+Date: Wed, 16 Oct 2013 16:30:55 +0100
+Subject: [PATCH] fail authentication for single group name which cannot be
+ converted to sid
+
+furthermore if more than one name is supplied and no sid is converted
+then also fail.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=10300
+
+Signed-off-by: Noel Power 
+Reviewed-by: Andreas Schneider 
+Reviewed-by: David Disseldorp 
+[dd...@samba.org: fixed incorrect bugzilla tag I added to master commit]
+---
+ nsswitch/pam_winbind.c | 6 ++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
+index 9322971..cd5e7ba 100644
+--- a/nsswitch/pam_winbind.c
 b/nsswitch/pam_winbind.c
+@@ -1172,6 +1172,12 @@ static bool winbind_name_list_to_sid_string_list(struct 
pwb_context *ctx,
+   _make_remark_format(ctx, PAM_TEXT_INFO, _("Cannot convert group 
%s "
+   "to sid, please contact your administrator to 
see "
+   "if group %s is valid."), search_location, 
search_location);
++
++  /* If no valid groups were converted we should fail outright */
++  if (name_list != NULL && strlen(sid_list_buffer) == 0) {
++  result = false;
++  goto out;
++  }
+   /*
+* The lookup of the last name failed..
+* It results in require_member_of_sid ends with ','
+-- 
+1.8.1.4
+
diff -Nru samba-3.6.6/debian/patches/security-CVE-2013-4496.patch 
samba-3.6.6/debian/patches/security-CVE-2013-4496.patch
--- samba-3.6.6/debian/patches/security-CVE-2013-4496.patch 1970-01-01 
01:00:00.0 +0100
+++ samba-3.6.6/debian/patches/security-CVE-2013-4496.patch 2014-04-10 
21:45:48.0 +0200
@@ -0,0 +1,982 @@
+   ==
+   Release Notes for Samba 3.6.23
+   March 11, 2014
+   ==
+
+This is a security release in order to address
+CVE-2013-4496 (Password lockout not enforced for SAMR password changes).
+
+CVE-2013-4496:
+Samba versions 3.4.0 and above allow the administrator to implement
+locking out Samba accounts after a number of bad password attempts.
+
+However, all released versions of Samba did not implement this check for
+password changes, such as are available over multiple SAMR and RAP
+interfaces, allowing password guessing attacks.
+
+
+
+From 25066eb31d6608075b5993b0d19b3e0843cdadeb Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett 
+Date: Fri, 1 Nov 2013 14:55:44 +1300
+Subject: [PATCH 1/3] CVE-2013-4496:s3-samr: Block attempts to crack passwords
+ via repeated password changes
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245
+
+Signed-off-by: Andrew Bartlett 
+Signed-off-by: Stefan Metzmacher 
+Signed-off-by: Jeremy Allison 
+Reviewed-by: Stefan Metzmacher 
+Reviewed-by: Jeremy Allison 
+Reviewed-by: Andreas Schneider 
+---
+ source3/rpc_server/samr/srv_samr_ch