Smb4K 0.6.4 has been released at 30.10
Smb4K is a SMB/CIFS share browser for KDE. It uses the Samba software suite to access
the SMB/CIFS shares of the local network neighborhood.
There is smb4k-0.6.4.ebuild in the attach, I've just renamed previous 0.6.3.ebuild and
compiled it successfully
Created attachment 71850 [details]
Ilya: If the ebuild doesn't need to be changed, attaching it is unnecessary. If
you attach something, a unified diff is preferred.
Seems we missed something...
ChangeLog Smb4K 0.6.3:
* Fixed security issue: An attacker could get access to the full contents of
the /etc/super.tab or /etc/sudoers file by linking a simple text file FILE to
/tmp/smb4k.tmp and /tmp/sudoers, respectively, because Smb4K didn't check for
the existance of these files before writing any contents. When using super, the
attack also resulted in /etc/super.tab being a symlink to FILE.
ChangeLog Smb4K 0.6.4:
* REALLY fixed the security issues in Smb4KFileIO. Now, temporary files and
directories are used to copy and modify sensitive data and the lock file is
checked to be not a symlink.
v.0.6.4 just hit cvs
Arches please test and mark stable.
Stable on ppc.
Stable on amd64.
Ready for GLSA vote.
I tend to vote yes, but I don't understand what the exact impact is...
A weak NO from here.
Carlo, could you elaborate on the impact?
Looking at the cdoe, in fact smb4k does (as kdesu root) the following :
chown root:root "+tmp_path+" && chmod "+perm+" "+tmp_path+" && mv "+tmp_path+"
with item->path() = /etc/sudoers... and tmp_path might be under the control of
the attacker, so it smells very bad.
I vote yes, but in fact I think no vote is needed.