Re: smb4k CVE-2017-8849
Hi Markus,
Thanks for analyzing the code for older versions.
On Mon, Jun 12, 2017 at 11:52:00PM +0200, Markus Koschany wrote:
> Hi,
>
> I had a look at smb4k and CVE-2017-8849 and wanted to mark the package
> in Wheezy and Jessie as not-affected. However I'm not completely sure
> and I would like to hear more opinions before I do it.
>
> According to the report on oss-security [1] it is possible for users to
> provide custom arguments and even the mount command for smb4k. This is
> fixed by verifying that the user provided mount command ("mh_command")
> is identical to the string returned by findMountExecutable()
>
> In Wheezy and Jessie there is no user provided argument "mh_command".
> Instead there is a list called "mount_command" (Wheezy) and in Jessie it
> is just "command". (see helpers/smb4kmounthelper.cpp)
>
> These commands are compiled in core/smb4kmounter_p.cpp and I don't see a
> way for users to provide a custom mount command which would make the
> above mentioned check unnecessary.
>
> I am also wondering whether the recent fix for kde4libs
> (DSA-3849-1/DLA-952-1) effectively mitigated the problem.
>
> Like I said there might be a fallacy so another look is much appreciated.
Let's loop in the KDE maintainers to check for the affectness status
for the older suites code.
Maximiliano, can you comment on the above analysis from Markus
Koschany?
Regards,
Salvatore
Reply to: