Hi Salvatore,

Am 15.06.2017 um 05:53 schrieb Salvatore Bonaccorso:
> As confirmed by upstream (for the jessie-Version):
> ----cut---------cut---------cut---------cut---------cut---------cut-----
>   proc.setProgram( args["command"].toStringList() );
>   // Run the mount process.
>   proc.start();
> ----cut---------cut---------cut---------cut---------cut---------cut-----
> is affected due to this. The helper is then running whatever thing
> ones gives it through dbus.
> So at least for jessie, this should not be marked as not-affected, I
> have not looked at wheezy, which has 1.0.1 based version.
> It now might be quite hard to do the right backporting. And depending
> on the changes between 1.1.2 and 1.2.1 it might be as well not
> feasbible to update to a new upstream version as suggested by
> upstream.

Then args["command"] must be something that can only be passed to smb4k
via dbus and it is unrelated to the code in core/smb4kmounter_p.cpp.
Otherwise it makes no sense to me. It would have been nice, if we had
access to the actual exploit but it seems it was never attached to the
report on the oss-security list.

Then I suggest we backport the Stretch version of smb4k to Wheezy and
Jessie. I have done this a few minutes ago for Wheezy and it was quite
painless. It pulls in a new dependency, libqt4-test, but apart from
that, mounting and unmounting of shares works as expected.

What do you think?


Attachment: signature.asc
Description: OpenPGP digital signature

pkg-kde-extras mailing list

Reply via email to