Bug 1449656 (CVE-2017-8849) - CVE-2017-8849 smb4k: unauthorized local command execution as root
Summary: CVE-2017-8849 smb4k: unauthorized local command execution as root
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2017-8849
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1449658
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-10 12:18 UTC by Adam Mariš
Modified: 2021-02-17 02:09 UTC (History)
3 users (show)

Fixed In Version: smb4k 2.0.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-20 17:10:07 UTC
Embargoed:


Attachments (Terms of Use)

Description Adam Mariš 2017-05-10 12:18:37 UTC
Smb4k contains a logic flaw in which mount helper binary does not properly verify the mount command it is being asked to run. This allows calling any other binary as root since the mount helper is typically installed as suid.

Affected versions: smb4k <= 2.0.0

Upstream fixes:

smb4k 2.0.0: https://commits.kde.org/smb4k/a90289b0962663bc1d247bbbd31b9e65b2ca000e
smb4k 1.2.3: https://commits.kde.org/smb4k/71554140bdaede27b95dbe4c9b5a028a83c83cce

External References:

https://www.kde.org/info/security/advisory-20170510-2.txt

Comment 1 Adam Mariš 2017-05-10 12:18:50 UTC
Acknowledgments:

Name: Sebastian Krahmer (SUSE)

Comment 2 Adam Mariš 2017-05-10 12:19:06 UTC
Created smb4k tracking bugs for this issue:

Affects: fedora-all [bug 1449658]

Comment 3 Sergio Basto 2017-05-10 12:34:13 UTC
Hello , I saw that than took some actions, before update smb4k to major version 2.0.1 in F26+ , I'd like update smb4k to 1.2.3 . Seems that source now is also available on github so : 
https://github.com/KDE/smb4k/commits/1.2  with https://github.com/KDE/smb4k/commit/71554140bdaede27b95dbe4c9b5a028a83c83cce looks good to me , may I update smb4k again ? @than what do you think ?

Comment 4 Adam Mariš 2017-05-12 13:05:35 UTC
As long as it's fixed, I see there no problem.

Comment 5 Than Ngo 2017-05-12 14:22:37 UTC
Sergio, feel free to update to 1.2.3 if you think there's no regression in new version.

Comment 6 Sergio Basto 2017-06-26 10:47:09 UTC
(In reply to Ngo Than from comment #5)
> Sergio, feel free to update to 1.2.3 if you think there's no regression in
> new version.

Done


Note You need to log in before you can comment on or make changes to this bug.