CVE 2017-8849 - smb4k: unauthorized local command execution as root
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
smb4k (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
KDE Project Security Advisory
=======
Title: smb4k: unauthorized local command execution as root
Risk Rating: High
CVE: CVE-2017-8849
Versions: smb4k <= 2.0.0
Date: 10 May 2017
Overview
========
Smb4k contains a logic flaw in which mount helper binary
does not properly verify the mount command it is being asked to run.
This allows calling any other binary as root since the
mount helper is typically installed as suid.
Solution
========
Update to smb4k 2.0.1 (when released)
Or apply the following patches:
smb4k 2.0.0: https:/
smb4k 1.2.3: https:/
Credits
=======
Thanks to Sebastian Krahmer from SUSE for the report and
to Albert Astals Cid and Alexander Reinholdt from KDE for the fix.
Status changed to 'Confirmed' because the bug affects multiple users.