¡Hola Salvatore! El 2017-06-13 a las 13:47 +0200, Salvatore Bonaccorso escribió:
Thanks for analyzing the code for older versions.
On Mon, Jun 12, 2017 at 11:52:00PM +0200, Markus Koschany wrote:I had a look at smb4k and CVE-2017-8849 and wanted to mark the package in Wheezy and Jessie as not-affected. However I'm not completely sure and I would like to hear more opinions before I do it.
According to the report on oss-security [1] it is possible for users to provide custom arguments and even the mount command for smb4k. This is fixed by verifying that the user provided mount command ("mh_command") is identical to the string returned by findMountExecutable()
In Wheezy and Jessie there is no user provided argument "mh_command". Instead there is a list called "mount_command" (Wheezy) and in Jessie it is just "command". (see helpers/smb4kmounthelper.cpp)
These commands are compiled in core/smb4kmounter_p.cpp and I don't see a way for users to provide a custom mount command which would make the above mentioned check unnecessary.
I am also wondering whether the recent fix for kde4libs (DSA-3849-1/DLA-952-1) effectively mitigated the problem.
Like I said there might be a fallacy so another look is much appreciated.
Let's loop in the KDE maintainers to check for the affectness status for the older suites code.
Maximiliano, can you comment on the above analysis from Markus Koschany?
Not really, I haven't used smb4k in years, and I did the upload only because I had the time to do it, not because I know anything about it's internals. For what it's worth, the analysis sounds valid to me.
About kde4libs, afaicr, the patch checks the sender of the dbus message, I'm not sure if that's really a tight check, or if it just avoids the specific exploit as presented.
Happy hacking, -- "UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity." -- Dennis Ritchie Saludos /\/\ /\ >< `/
Attachment:
signature.asc
Description: PGP signature