Hi Salvatore, Am 15.06.2017 um 05:53 schrieb Salvatore Bonaccorso: [...] > As confirmed by upstream (for the jessie-Version): > > ----cut---------cut---------cut---------cut---------cut---------cut----- > proc.setProgram( args["command"].toStringList() ); > > // Run the mount process. > proc.start(); > ----cut---------cut---------cut---------cut---------cut---------cut----- > > is affected due to this. The helper is then running whatever thing > ones gives it through dbus. > > So at least for jessie, this should not be marked as not-affected, I > have not looked at wheezy, which has 1.0.1 based version. > > It now might be quite hard to do the right backporting. And depending > on the changes between 1.1.2 and 1.2.1 it might be as well not > feasbible to update to a new upstream version as suggested by > upstream.
Then args["command"] must be something that can only be passed to smb4k via dbus and it is unrelated to the code in core/smb4kmounter_p.cpp. Otherwise it makes no sense to me. It would have been nice, if we had access to the actual exploit but it seems it was never attached to the report on the oss-security list. Then I suggest we backport the Stretch version of smb4k to Wheezy and Jessie. I have done this a few minutes ago for Wheezy and it was quite painless. It pulls in a new dependency, libqt4-test, but apart from that, mounting and unmounting of shares works as expected. What do you think? Markus
signature.asc
Description: OpenPGP digital signature
_______________________________________________ pkg-kde-extras mailing list pkg-kde-extras@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-extras
