Upstream has issued an advisory on May 10: https://www.kde.org/info/security/advisory-20170510-2.txt The issue has already been fixed in Cauldron by Nicolas.
Fixed for mga5 updating smb4k to release 1.2.3 and also adding an upstream patch to fix CVE-2017-8849.
CC: (none) => geiger.david68210
Thanks David! Advisory: ======================== Updated smb4k packages fix security vulnerabilities: Smb4k contains a logic flaw in which mount helper binary does not properly verify the mount command it is being asked to run. This allows calling any other binary as root since the mount helper is typically installed as suid (CVE-2017-8849). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8849 https://www.kde.org/info/security/advisory-20170510-2.txt ======================== Updated packages in core/updates_testing: ======================== smb4k-1.2.3-1.mga5 libsmb4kcore4-1.2.3-1.mga5 smb4k-devel-1.2.3-1.mga5 from smb4k-1.2.3-1.mga5.src.rpm
CC: (none) => kdeAssignee: kde => qa-bugs
Whiteboard: (none) => advisoryCC: (none) => davidwhodgins
Packages updated cleanly: - lib64smb4kcore4-1.2.3-1.mga5.x86_64 - smb4k-1.2.3-1.mga5.x86_64 I was able to scan the network and mount/umount a share on a Win7 system running as a guest on a different host. Since I do not use kwallet, I had to first enter authentication credentials, as described in: https://bugs.mageia.org/show_bug.cgi?id=13478#c7 OK for mga5-64
Whiteboard: advisory => advisory MGA5-64-OKCC: (none) => jim
On mga5-32 (in a vbox VM) Packages updated cleanly: - libsmb4kcore4-1.2.3-1.mga5.i586 - smb4k-1.2.3-1.mga5.i586 I was able to scan the network and mount/umount a share on a Win7 system running as a guest on a different host. Since I do not use kwallet, I had to first enter authentication credentials, as described in: https://bugs.mageia.org/show_bug.cgi?id=13478#c7 OK for mga5-32
Whiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK MGA5-32-OK
This update is now validated and can be pushed to updates
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0171.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED