Bug 1449656 (CVE-2017-8849)

Summary: CVE-2017-8849 smb4k: unauthorized local command execution as root
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: helio, sergio, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: smb4k 2.0.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-20 17:10:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1449658    
Bug Blocks:    

Description Adam Mariš 2017-05-10 12:18:37 UTC
Smb4k contains a logic flaw in which mount helper binary does not properly verify the mount command it is being asked to run. This allows calling any other binary as root since the mount helper is typically installed as suid.

Affected versions: smb4k <= 2.0.0

Upstream fixes:

smb4k 2.0.0: https://commits.kde.org/smb4k/a90289b0962663bc1d247bbbd31b9e65b2ca000e
smb4k 1.2.3: https://commits.kde.org/smb4k/71554140bdaede27b95dbe4c9b5a028a83c83cce

External References:


Comment 1 Adam Mariš 2017-05-10 12:18:50 UTC

Name: Sebastian Krahmer (SUSE)

Comment 2 Adam Mariš 2017-05-10 12:19:06 UTC
Created smb4k tracking bugs for this issue:

Affects: fedora-all [bug 1449658]

Comment 3 Sergio Basto 2017-05-10 12:34:13 UTC
Hello , I saw that than took some actions, before update smb4k to major version 2.0.1 in F26+ , I'd like update smb4k to 1.2.3 . Seems that source now is also available on github so : 
https://github.com/KDE/smb4k/commits/1.2  with https://github.com/KDE/smb4k/commit/71554140bdaede27b95dbe4c9b5a028a83c83cce looks good to me , may I update smb4k again ? @than what do you think ?

Comment 4 Adam Mariš 2017-05-12 13:05:35 UTC
As long as it's fixed, I see there no problem.

Comment 5 Than Ngo 2017-05-12 14:22:37 UTC
Sergio, feel free to update to 1.2.3 if you think there's no regression in new version.

Comment 6 Sergio Basto 2017-06-26 10:47:09 UTC
(In reply to Ngo Than from comment #5)
> Sergio, feel free to update to 1.2.3 if you think there's no regression in
> new version.