Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian@packages.debian.org
Usertags: pu
Dear release team,
The attached patch fixes CVE-2012-6150 and CVE-2013-4496. Please accept it for
wheezy.
Thanks in advance.
Cheers,
Ivo
diff -Nru samba-3.6.6/debian/changelog samba-3.6.6/debian/changelog
--- samba-3.6.6/debian/changelog2013-12-03 10:15:19.0 +0100
+++ samba-3.6.6/debian/changelog2014-04-10 21:46:25.0 +0200
@@ -1,3 +1,12 @@
+samba (2:3.6.6-6+deb7u3) wheezy; urgency=medium
+
+ * Security update
+ * CVE-2012-6150: pam_winbind login without require_membership_of
+restrictions
+ * CVE-2013-4496: Password lockout not enforced for SAMR password changes
+
+ -- Ivo De Decker Thu, 10 Apr 2014 21:37:32 +0200
+
samba (2:3.6.6-6+deb7u2) wheezy-security; urgency=high
* Security update
diff -Nru samba-3.6.6/debian/patches/security-CVE-2012-6150.patch
samba-3.6.6/debian/patches/security-CVE-2012-6150.patch
--- samba-3.6.6/debian/patches/security-CVE-2012-6150.patch 1970-01-01
01:00:00.0 +0100
+++ samba-3.6.6/debian/patches/security-CVE-2012-6150.patch 2014-04-10
21:45:48.0 +0200
@@ -0,0 +1,55 @@
+
+CVE-2012-6150:
+Winbind allows for the further restriction of authenticated PAM logins using
+the require_membership_of parameter. System administrators may specify a list
+of SIDs or groups for which an authenticated user must be a member of. If an
+authenticated user does not belong to any of the entries, then login should
+fail. Invalid group name entries are ignored.
+
+Samba versions 3.3.10, 3.4.3, 3.5.0 and later incorrectly allow login from
+authenticated users if the require_membership_of parameter specifies only
+invalid group names.
+
+This is a vulnerability with low impact. All require_membership_of group
+names must be invalid for this bug to be encountered.
+
+
+From f62683956a3b182f6a61cc7a2b4ada2e74cde243 Mon Sep 17 00:00:00 2001
+From: Noel Power
+Date: Wed, 16 Oct 2013 16:30:55 +0100
+Subject: [PATCH] fail authentication for single group name which cannot be
+ converted to sid
+
+furthermore if more than one name is supplied and no sid is converted
+then also fail.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=10300
+
+Signed-off-by: Noel Power
+Reviewed-by: Andreas Schneider
+Reviewed-by: David Disseldorp
+[dd...@samba.org: fixed incorrect bugzilla tag I added to master commit]
+---
+ nsswitch/pam_winbind.c | 6 ++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
+index 9322971..cd5e7ba 100644
+--- a/nsswitch/pam_winbind.c
b/nsswitch/pam_winbind.c
+@@ -1172,6 +1172,12 @@ static bool winbind_name_list_to_sid_string_list(struct
pwb_context *ctx,
+ _make_remark_format(ctx, PAM_TEXT_INFO, _("Cannot convert group
%s "
+ "to sid, please contact your administrator to
see "
+ "if group %s is valid."), search_location,
search_location);
++
++ /* If no valid groups were converted we should fail outright */
++ if (name_list != NULL && strlen(sid_list_buffer) == 0) {
++ result = false;
++ goto out;
++ }
+ /*
+* The lookup of the last name failed..
+* It results in require_member_of_sid ends with ','
+--
+1.8.1.4
+
diff -Nru samba-3.6.6/debian/patches/security-CVE-2013-4496.patch
samba-3.6.6/debian/patches/security-CVE-2013-4496.patch
--- samba-3.6.6/debian/patches/security-CVE-2013-4496.patch 1970-01-01
01:00:00.0 +0100
+++ samba-3.6.6/debian/patches/security-CVE-2013-4496.patch 2014-04-10
21:45:48.0 +0200
@@ -0,0 +1,982 @@
+ ==
+ Release Notes for Samba 3.6.23
+ March 11, 2014
+ ==
+
+This is a security release in order to address
+CVE-2013-4496 (Password lockout not enforced for SAMR password changes).
+
+CVE-2013-4496:
+Samba versions 3.4.0 and above allow the administrator to implement
+locking out Samba accounts after a number of bad password attempts.
+
+However, all released versions of Samba did not implement this check for
+password changes, such as are available over multiple SAMR and RAP
+interfaces, allowing password guessing attacks.
+
+
+
+From 25066eb31d6608075b5993b0d19b3e0843cdadeb Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett
+Date: Fri, 1 Nov 2013 14:55:44 +1300
+Subject: [PATCH 1/3] CVE-2013-4496:s3-samr: Block attempts to crack passwords
+ via repeated password changes
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245
+
+Signed-off-by: Andrew Bartlett
+Signed-off-by: Stefan Metzmacher
+Signed-off-by: Jeremy Allison
+Reviewed-by: Stefan Metzmacher
+Reviewed-by: Jeremy Allison
+Reviewed-by: Andreas Schneider
+---
+ source3/rpc_server/samr/srv_samr_ch