Bug 286271 (CVE-2007-4138)

Summary: CVE-2007-4138 samba incorrect primary group assignment for domain users using the rfc2307 or sfu winbind nss info plugin
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: kreilly, samba-bugs-list
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.samba.org/samba/security/CVE-2007-4138.html
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-08 12:29:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 286311, 351481, 351491, 351501, 351511    
Bug Blocks: 338811, 338821    

Description Tomas Hoger 2007-09-11 16:04:19 UTC 
New Samba release 3.0.26 fixes following security issue [1]:

Summary:

When the "winbind nss info" parameter in smb.conf is set to either "sfu" or
"rfc2307", Windows users are incorrectly assigned a primary gid of 0 in the
absence of the RFC2307 or Services or Unix (SFU) primary group attributes.

Description:

The idmap_ad.so library provides an nss_info extension to Winbind
for retrieving a user's home directory path, login shell and
primary group id from an Active Directory domain controller.  This
functionality is enabled by defining the "winbind nss info"
smb.conf option to either "sfu" or "rfc2307".

Both the Windows "Identity Management for Unix" and "Services for
Unix" MMC plug-ins allow a user to be assigned a primary group
for Unix clients that differs from the user's Windows primary group.
When the rfc2307 or sfu nss_info plugin has been enabled, in
the absence of either the RFC2307 or SFU primary group attribute,
Winbind will assign a primary group ID of 0 to the domain user
queried using the getpwnam() C library call.

Only affects versions: 3.0.25 - 3.0.25c

Patch: [2]

[1] http://www.samba.org/samba/security/CVE-2007-4138.html
[2] http://www.samba.org/samba/ftp/patches/security/samba-3.0.25-CVE-2007-4138.patch

Acknowledgements:

Red Hat would like to thank Rick King for responsibly disclosing this issue.
Comment 2 Tomas Hoger 2007-09-11 16:17:53 UTC 
This issue did not affect version of samba as shipped with Red Hat Enterprise
Linux 2.1, 3, 4, or 5.
Comment 3 Josh Bressers 2007-10-24 17:06:25 UTC 
This issue does however affect the versions of Samba being shipped in Red Hat
Enterprise Linux 4.6 and 5.1.
Comment 7 Tomas Hoger 2008-01-08 12:29:48 UTC 
Fixed in affected products:

Red Hat Enterprise Linux:  	
  http://rhn.redhat.com/errata/RHSA-2007-1016.html
  http://rhn.redhat.com/errata/RHSA-2007-1017.html

Fedora:
  updated to fixed upstream version