Re: [Pkg-kde-extras] smb4k CVE-2017-8849
Hi Salvatore, Am 15.06.2017 um 05:53 schrieb Salvatore Bonaccorso: [...] > As confirmed by upstream (for the jessie-Version): > > cut-cut-cut-cut-cut-cut- > proc.setProgram( args["command"].toStringList() ); > > // Run the mount process. > proc.start(); > cut-cut-cut-cut-cut-cut- > > is affected due to this. The helper is then running whatever thing > ones gives it through dbus. > > So at least for jessie, this should not be marked as not-affected, I > have not looked at wheezy, which has 1.0.1 based version. > > It now might be quite hard to do the right backporting. And depending > on the changes between 1.1.2 and 1.2.1 it might be as well not > feasbible to update to a new upstream version as suggested by > upstream. Then args["command"] must be something that can only be passed to smb4k via dbus and it is unrelated to the code in core/smb4kmounter_p.cpp. Otherwise it makes no sense to me. It would have been nice, if we had access to the actual exploit but it seems it was never attached to the report on the oss-security list. Then I suggest we backport the Stretch version of smb4k to Wheezy and Jessie. I have done this a few minutes ago for Wheezy and it was quite painless. It pulls in a new dependency, libqt4-test, but apart from that, mounting and unmounting of shares works as expected. What do you think? Markus signature.asc Description: OpenPGP digital signature ___ pkg-kde-extras mailing list pkg-kde-extras@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-extras
Re: [Pkg-kde-extras] smb4k CVE-2017-8849
Hi Maximiliano and Markus, On Wed, Jun 14, 2017 at 12:51:04PM +0200, Maximiliano Curia wrote: > ¡Hola Salvatore! > > El 2017-06-13 a las 13:47 +0200, Salvatore Bonaccorso escribió: > > Thanks for analyzing the code for older versions. > > > On Mon, Jun 12, 2017 at 11:52:00PM +0200, Markus Koschany wrote: > > > I had a look at smb4k and CVE-2017-8849 and wanted to mark the > > > package in Wheezy and Jessie as not-affected. However I'm not > > > completely sure and I would like to hear more opinions before I do > > > it. > > > > According to the report on oss-security [1] it is possible for users > > > to provide custom arguments and even the mount command for smb4k. > > > This is fixed by verifying that the user provided mount command > > > ("mh_command") is identical to the string returned by > > > findMountExecutable() > > > > In Wheezy and Jessie there is no user provided argument > > > "mh_command". Instead there is a list called "mount_command" > > > (Wheezy) and in Jessie it is just "command". (see > > > helpers/smb4kmounthelper.cpp) > > > > These commands are compiled in core/smb4kmounter_p.cpp and I don't > > > see a way for users to provide a custom mount command which would > > > make the above mentioned check unnecessary. > > > > I am also wondering whether the recent fix for kde4libs > > > (DSA-3849-1/DLA-952-1) effectively mitigated the problem. > > > > Like I said there might be a fallacy so another look is much appreciated. > > > Let's loop in the KDE maintainers to check for the affectness status for > > the older suites code. > > > Maximiliano, can you comment on the above analysis from Markus Koschany? > > Not really, I haven't used smb4k in years, and I did the upload only because > I had the time to do it, not because I know anything about it's internals. > For what it's worth, the analysis sounds valid to me. As confirmed by upstream (for the jessie-Version): cut-cut-cut-cut-cut-cut- proc.setProgram( args["command"].toStringList() ); // Run the mount process. proc.start(); cut-cut-cut-cut-cut-cut- is affected due to this. The helper is then running whatever thing ones gives it through dbus. So at least for jessie, this should not be marked as not-affected, I have not looked at wheezy, which has 1.0.1 based version. It now might be quite hard to do the right backporting. And depending on the changes between 1.1.2 and 1.2.1 it might be as well not feasbible to update to a new upstream version as suggested by upstream. Regards, Salvatore ___ pkg-kde-extras mailing list pkg-kde-extras@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-extras
Re: [Pkg-kde-extras] smb4k CVE-2017-8849
¡Hola Salvatore! El 2017-06-13 a las 13:47 +0200, Salvatore Bonaccorso escribió: Thanks for analyzing the code for older versions. On Mon, Jun 12, 2017 at 11:52:00PM +0200, Markus Koschany wrote: I had a look at smb4k and CVE-2017-8849 and wanted to mark the package in Wheezy and Jessie as not-affected. However I'm not completely sure and I would like to hear more opinions before I do it. According to the report on oss-security [1] it is possible for users to provide custom arguments and even the mount command for smb4k. This is fixed by verifying that the user provided mount command ("mh_command") is identical to the string returned by findMountExecutable() In Wheezy and Jessie there is no user provided argument "mh_command". Instead there is a list called "mount_command" (Wheezy) and in Jessie it is just "command". (see helpers/smb4kmounthelper.cpp) These commands are compiled in core/smb4kmounter_p.cpp and I don't see a way for users to provide a custom mount command which would make the above mentioned check unnecessary. I am also wondering whether the recent fix for kde4libs (DSA-3849-1/DLA-952-1) effectively mitigated the problem. Like I said there might be a fallacy so another look is much appreciated. Let's loop in the KDE maintainers to check for the affectness status for the older suites code. Maximiliano, can you comment on the above analysis from Markus Koschany? Not really, I haven't used smb4k in years, and I did the upload only because I had the time to do it, not because I know anything about it's internals. For what it's worth, the analysis sounds valid to me. About kde4libs, afaicr, the patch checks the sender of the dbus message, I'm not sure if that's really a tight check, or if it just avoids the specific exploit as presented. Happy hacking, -- "UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity." -- Dennis Ritchie Saludos /\/\ /\ >< `/ signature.asc Description: PGP signature ___ pkg-kde-extras mailing list pkg-kde-extras@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-extras
Re: [Pkg-kde-extras] smb4k CVE-2017-8849
Hi Markus, Thanks for analyzing the code for older versions. On Mon, Jun 12, 2017 at 11:52:00PM +0200, Markus Koschany wrote: > Hi, > > I had a look at smb4k and CVE-2017-8849 and wanted to mark the package > in Wheezy and Jessie as not-affected. However I'm not completely sure > and I would like to hear more opinions before I do it. > > According to the report on oss-security [1] it is possible for users to > provide custom arguments and even the mount command for smb4k. This is > fixed by verifying that the user provided mount command ("mh_command") > is identical to the string returned by findMountExecutable() > > In Wheezy and Jessie there is no user provided argument "mh_command". > Instead there is a list called "mount_command" (Wheezy) and in Jessie it > is just "command". (see helpers/smb4kmounthelper.cpp) > > These commands are compiled in core/smb4kmounter_p.cpp and I don't see a > way for users to provide a custom mount command which would make the > above mentioned check unnecessary. > > I am also wondering whether the recent fix for kde4libs > (DSA-3849-1/DLA-952-1) effectively mitigated the problem. > > Like I said there might be a fallacy so another look is much appreciated. Let's loop in the KDE maintainers to check for the affectness status for the older suites code. Maximiliano, can you comment on the above analysis from Markus Koschany? Regards, Salvatore ___ pkg-kde-extras mailing list pkg-kde-extras@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-extras