Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 618106 (CVE-2017-8849)

Summary: <net-misc/smb4k-{1.2.3-r1,2.0.0-r1}: unauthorized local command execution as root
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major Flags: stable-bot: sanity-check+
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2017-05-10 13:03:27 UTC
From ${URL} :

Smb4k contains a logic flaw in which mount helper binary does not properly verify the mount command it is being asked to run. This allows calling any other binary as root since the mount helper is 
typically installed as suid.

Affected versions: smb4k <= 2.0.0

Upstream fixes:

smb4k 2.0.0:
smb4k 1.2.3:

External References:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Andreas Sturmlechner gentoo-dev 2017-05-10 18:10:28 UTC
Fixed versions smb4k-1.2.3-r1 and 2.0.0-r1 added in git commit d39d7aa14725bc031c1e1b588b7dafa9198111bd.

Please stabilise 1.2.3-r1 so we can cleanup remaining vulnerable current stable 1.2.1.
Comment 2 Agostino Sarubbo gentoo-dev 2017-05-11 07:51:45 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-05-11 08:37:56 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 4 Andreas Sturmlechner gentoo-dev 2017-05-11 22:05:30 UTC
Cleaned up 1.2.1, remaining versions are all fixed.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-05-26 06:30:57 UTC
This issue was resolved and addressed in
 GLSA 201705-14 at
by GLSA coordinator Thomas Deutschmann (whissi).