Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 618106 (CVE-2017-8849)

Summary: <net-misc/smb4k-{1.2.3-r1,2.0.0-r1}: unauthorized local command execution as root
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major Flags: stable-bot: sanity-check+
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1449656
Whiteboard: B1 [glsa cve]
Package list:
net-misc/smb4k-1.2.3-r1
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2017-05-10 13:03:27 UTC
From ${URL} :

Smb4k contains a logic flaw in which mount helper binary does not properly verify the mount command it is being asked to run. This allows calling any other binary as root since the mount helper is 
typically installed as suid.

Affected versions: smb4k <= 2.0.0

Upstream fixes:

smb4k 2.0.0: https://commits.kde.org/smb4k/a90289b0962663bc1d247bbbd31b9e65b2ca000e
smb4k 1.2.3: https://commits.kde.org/smb4k/71554140bdaede27b95dbe4c9b5a028a83c83cce

External References:

https://www.kde.org/info/security/advisory-20170510-2.txt


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Andreas Sturmlechner gentoo-dev 2017-05-10 18:10:28 UTC
Fixed versions smb4k-1.2.3-r1 and 2.0.0-r1 added in git commit d39d7aa14725bc031c1e1b588b7dafa9198111bd.

Please stabilise 1.2.3-r1 so we can cleanup remaining vulnerable current stable 1.2.1.
Comment 2 Agostino Sarubbo gentoo-dev 2017-05-11 07:51:45 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-05-11 08:37:56 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 4 Andreas Sturmlechner gentoo-dev 2017-05-11 22:05:30 UTC
Cleaned up 1.2.1, remaining versions are all fixed.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-05-26 06:30:57 UTC
This issue was resolved and addressed in
 GLSA 201705-14 at https://security.gentoo.org/glsa/201705-14
by GLSA coordinator Thomas Deutschmann (whissi).