SB2013121007 - Input validation error in samba (Alpine package)
Published: December 10, 2013
Security Bulletin ID
SB2013121007
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2012-6150)
The vulnerability allows a remote #AU# to read and manipulate data.
The winbind_name_list_to_sid_string_list function in nsswitch/pam_winbind.c in Samba through 4.1.2 handles invalid require_membership_of group names by accepting authentication by any user, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by leveraging an administrator's pam_winbind configuration-file mistake.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=62722265236fe9b456b06077a278c59167d698d0
- https://git.alpinelinux.org/aports/commit/?id=c814185629eb7f0e1166f5ba094e8402cefd1587
- https://git.alpinelinux.org/aports/commit/?id=34697bf099f0ece957068bf39dc6c622f5141bd0
- https://git.alpinelinux.org/aports/commit/?id=5d3b50a2026251615d9737322617519e8711a5de