[Pkg-kde-extras] smb4k CVE-2017-8849

Maximiliano Curia maxy at gnuservers.com.ar
Wed Jun 14 10:51:04 UTC 2017 

¡Hola Salvatore!

El 2017-06-13 a las 13:47 +0200, Salvatore Bonaccorso escribió:
> Thanks for analyzing the code for older versions.

> On Mon, Jun 12, 2017 at 11:52:00PM +0200, Markus Koschany wrote:
>> I had a look at smb4k and CVE-2017-8849 and wanted to mark the package 
>> in Wheezy and Jessie as not-affected. However I'm not completely sure 
>> and I would like to hear more opinions before I do it.

>> According to the report on oss-security [1] it is possible for users to 
>> provide custom arguments and even the mount command for smb4k. This is 
>> fixed by verifying that the user provided mount command ("mh_command") 
>> is identical to the string returned by findMountExecutable()

>> In Wheezy and Jessie there is no user provided argument "mh_command". 
>> Instead there is a list called "mount_command" (Wheezy) and in Jessie it 
>> is just "command". (see helpers/smb4kmounthelper.cpp)

>> These commands are compiled in core/smb4kmounter_p.cpp and I don't see a 
>> way for users to provide a custom mount command which would make the 
>> above mentioned check unnecessary.

>> I am also wondering whether the recent fix for kde4libs 
>> (DSA-3849-1/DLA-952-1) effectively mitigated the problem.

>> Like I said there might be a fallacy so another look is much appreciated.

> Let's loop in the KDE maintainers to check for the affectness status 
> for the older suites code.

> Maximiliano, can you comment on the above analysis from Markus 
> Koschany?

Not really, I haven't used smb4k in years, and I did the upload only because I 
had the time to do it, not because I know anything about it's internals. For 
what it's worth, the analysis sounds valid to me.

About kde4libs, afaicr, the patch checks the sender of the dbus message, I'm 
not sure if that's really a tight check, or if it just avoids the specific 
exploit as presented.

Happy hacking,
-- 
"UNIX is basically a simple operating system, but you have to be a genius to
understand the simplicity."
-- Dennis Ritchie
 Saludos /\/\ /\ >< `/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-kde-extras/attachments/20170614/ef250d87/attachment.sig>

More information about the pkg-kde-extras mailing list