Smb4K 0.6.4 has been released at 30.10 Smb4K is a SMB/CIFS share browser for KDE. It uses the Samba software suite to access the SMB/CIFS shares of the local network neighborhood. There is smb4k-0.6.4.ebuild in the attach, I've just renamed previous 0.6.3.ebuild and compiled it successfully
Created attachment 71850 [details] smb4k-0.6.4.ebuild
Ilya: If the ebuild doesn't need to be changed, attaching it is unnecessary. If you attach something, a unified diff is preferred. Seems we missed something... ChangeLog Smb4K 0.6.3: * Fixed security issue: An attacker could get access to the full contents of the /etc/super.tab or /etc/sudoers file by linking a simple text file FILE to /tmp/smb4k.tmp and /tmp/sudoers, respectively, because Smb4K didn't check for the existance of these files before writing any contents. When using super, the attack also resulted in /etc/super.tab being a symlink to FILE. ChangeLog Smb4K 0.6.4: * REALLY fixed the security issues in Smb4KFileIO. Now, temporary files and directories are used to copy and modify sensitive data and the lock file is checked to be not a symlink. v.0.6.4 just hit cvs
Arches please test and mark stable.
Stable on ppc.
x86 done
Stable on amd64.
Ready for GLSA vote.
I tend to vote yes, but I don't understand what the exact impact is...
A weak NO from here. Carlo, could you elaborate on the impact?
Looking at the cdoe, in fact smb4k does (as kdesu root) the following : chown root:root "+tmp_path+" && chmod "+perm+" "+tmp_path+" && mv "+tmp_path+" "+item->path() with item->path() = /etc/sudoers... and tmp_path might be under the control of the attacker, so it smells very bad. I vote yes, but in fact I think no vote is needed.
GLSA 200511-15