[Pkg-kde-extras] smb4k CVE-2017-8849

Markus Koschany apo at debian.org
Thu Jun 15 16:49:56 UTC 2017


Hi Salvatore,

Am 15.06.2017 um 05:53 schrieb Salvatore Bonaccorso:
[...]
> As confirmed by upstream (for the jessie-Version):
> 
> ----cut---------cut---------cut---------cut---------cut---------cut-----
>   proc.setProgram( args["command"].toStringList() );
> 
>   // Run the mount process.
>   proc.start();
> ----cut---------cut---------cut---------cut---------cut---------cut-----
> 
> is affected due to this. The helper is then running whatever thing
> ones gives it through dbus.
> 
> So at least for jessie, this should not be marked as not-affected, I
> have not looked at wheezy, which has 1.0.1 based version.
> 
> It now might be quite hard to do the right backporting. And depending
> on the changes between 1.1.2 and 1.2.1 it might be as well not
> feasbible to update to a new upstream version as suggested by
> upstream.

Then args["command"] must be something that can only be passed to smb4k
via dbus and it is unrelated to the code in core/smb4kmounter_p.cpp.
Otherwise it makes no sense to me. It would have been nice, if we had
access to the actual exploit but it seems it was never attached to the
report on the oss-security list.

Then I suggest we backport the Stretch version of smb4k to Wheezy and
Jessie. I have done this a few minutes ago for Wheezy and it was quite
painless. It pulls in a new dependency, libqt4-test, but apart from
that, mounting and unmounting of shares works as expected.

What do you think?

Markus

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-kde-extras/attachments/20170615/6e575dfb/attachment.sig>


More information about the pkg-kde-extras mailing list