From ${URL} : Smb4k contains a logic flaw in which mount helper binary does not properly verify the mount command it is being asked to run. This allows calling any other binary as root since the mount helper is typically installed as suid. Affected versions: smb4k <= 2.0.0 Upstream fixes: smb4k 2.0.0: https://commits.kde.org/smb4k/a90289b0962663bc1d247bbbd31b9e65b2ca000e smb4k 1.2.3: https://commits.kde.org/smb4k/71554140bdaede27b95dbe4c9b5a028a83c83cce External References: https://www.kde.org/info/security/advisory-20170510-2.txt @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Fixed versions smb4k-1.2.3-r1 and 2.0.0-r1 added in git commit d39d7aa14725bc031c1e1b588b7dafa9198111bd. Please stabilise 1.2.3-r1 so we can cleanup remaining vulnerable current stable 1.2.1.
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Cleaned up 1.2.1, remaining versions are all fixed.
This issue was resolved and addressed in GLSA 201705-14 at https://security.gentoo.org/glsa/201705-14 by GLSA coordinator Thomas Deutschmann (whissi).
