CVE-2012-6150: Fail authentication for single group name which cannot be converted...

furthermore if more than one name is supplied and no sid is converted
then also fail.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10300
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10306

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
[ddiss@samba.org: fixed incorrect bugzilla tag I added to master commit]

diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index d1264943a79c8d9ac9728bb2756a7b37651f9e5e..8f5ad5075232a5348bc773bf926282d6d1a48a3c 100644 (file)
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -1184,6 +1184,12 @@ static bool winbind_name_list_to_sid_string_list(struct pwb_context *ctx,
                _make_remark_format(ctx, PAM_TEXT_INFO, _("Cannot convert group %s "
                                "to sid, please contact your administrator to see "
                                "if group %s is valid."), search_location, search_location);
+
+               /* If no valid groups were converted we should fail outright */
+               if (name_list != NULL && strlen(sid_list_buffer) == 0) {
+                       result = false;
+                       goto out;
+               }
                /*
                 * The lookup of the last name failed..
                 * It results in require_member_of_sid ends with ','