Hi, I had a look at smb4k and CVE-2017-8849 and wanted to mark the package in Wheezy and Jessie as not-affected. However I'm not completely sure and I would like to hear more opinions before I do it.
According to the report on oss-security [1] it is possible for users to
provide custom arguments and even the mount command for smb4k. This is
fixed by verifying that the user provided mount command ("mh_command")
is identical to the string returned by findMountExecutable()
In Wheezy and Jessie there is no user provided argument "mh_command".
Instead there is a list called "mount_command" (Wheezy) and in Jessie it
is just "command". (see helpers/smb4kmounthelper.cpp)
These commands are compiled in core/smb4kmounter_p.cpp and I don't see a
way for users to provide a custom mount command which would make the
above mentioned check unnecessary.
I am also wondering whether the recent fix for kde4libs
(DSA-3849-1/DLA-952-1) effectively mitigated the problem.
Like I said there might be a fallacy so another look is much appreciated.
Regards,
Markus
[1] http://www.openwall.com/lists/oss-security/2017/05/10/3
signature.asc
Description: OpenPGP digital signature
