Hi Maximiliano and Markus,
On Wed, Jun 14, 2017 at 12:51:04PM +0200, Maximiliano Curia wrote:
> ¡Hola Salvatore!
> El 2017-06-13 a las 13:47 +0200, Salvatore Bonaccorso escribió:
> > Thanks for analyzing the code for older versions.
> > On Mon, Jun 12, 2017 at 11:52:00PM +0200, Markus Koschany wrote:
> > > I had a look at smb4k and CVE-2017-8849 and wanted to mark the
> > > package in Wheezy and Jessie as not-affected. However I'm not
> > > completely sure and I would like to hear more opinions before I do
> > > it.
> > > According to the report on oss-security  it is possible for users
> > > to provide custom arguments and even the mount command for smb4k.
> > > This is fixed by verifying that the user provided mount command
> > > ("mh_command") is identical to the string returned by
> > > findMountExecutable()
> > > In Wheezy and Jessie there is no user provided argument
> > > "mh_command". Instead there is a list called "mount_command"
> > > (Wheezy) and in Jessie it is just "command". (see
> > > helpers/smb4kmounthelper.cpp)
> > > These commands are compiled in core/smb4kmounter_p.cpp and I don't
> > > see a way for users to provide a custom mount command which would
> > > make the above mentioned check unnecessary.
> > > I am also wondering whether the recent fix for kde4libs
> > > (DSA-3849-1/DLA-952-1) effectively mitigated the problem.
> > > Like I said there might be a fallacy so another look is much appreciated.
> > Let's loop in the KDE maintainers to check for the affectness status for
> > the older suites code.
> > Maximiliano, can you comment on the above analysis from Markus Koschany?
> Not really, I haven't used smb4k in years, and I did the upload only because
> I had the time to do it, not because I know anything about it's internals.
> For what it's worth, the analysis sounds valid to me.
As confirmed by upstream (for the jessie-Version):
proc.setProgram( args["command"].toStringList() );
// Run the mount process.
is affected due to this. The helper is then running whatever thing
ones gives it through dbus.
So at least for jessie, this should not be marked as not-affected, I
have not looked at wheezy, which has 1.0.1 based version.
It now might be quite hard to do the right backporting. And depending
on the changes between 1.1.2 and 1.2.1 it might be as well not
feasbible to update to a new upstream version as suggested by
pkg-kde-extras mailing list