Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 618106 (CVE-2017-8849) - <net-misc/smb4k-{1.2.3-r1,2.0.0-r1}: unauthorized local command execution as root
Summary: <net-misc/smb4k-{1.2.3-r1,2.0.0-r1}: unauthorized local command execution as ...
Alias: CVE-2017-8849
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa cve]
Depends on:
Reported: 2017-05-10 13:03 UTC by Agostino Sarubbo
Modified: 2017-05-26 06:30 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-05-10 13:03:27 UTC
From ${URL} :

Smb4k contains a logic flaw in which mount helper binary does not properly verify the mount command it is being asked to run. This allows calling any other binary as root since the mount helper is 
typically installed as suid.

Affected versions: smb4k <= 2.0.0

Upstream fixes:

smb4k 2.0.0:
smb4k 1.2.3:

External References:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Andreas Sturmlechner gentoo-dev 2017-05-10 18:10:28 UTC
Fixed versions smb4k-1.2.3-r1 and 2.0.0-r1 added in git commit d39d7aa14725bc031c1e1b588b7dafa9198111bd.

Please stabilise 1.2.3-r1 so we can cleanup remaining vulnerable current stable 1.2.1.
Comment 2 Agostino Sarubbo gentoo-dev 2017-05-11 07:51:45 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-05-11 08:37:56 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 4 Andreas Sturmlechner gentoo-dev 2017-05-11 22:05:30 UTC
Cleaned up 1.2.1, remaining versions are all fixed.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-05-26 06:30:57 UTC
This issue was resolved and addressed in
 GLSA 201705-14 at
by GLSA coordinator Thomas Deutschmann (whissi).