Debian Bug report logs -
#862505
smb4k: CVE-2017-8849
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 13 May 2017 18:45:02 UTC
Severity: important
Tags: patch, security, upstream
Found in versions smb4k/1.2.1-1, smb4k/1.1.2-1
Fixed in versions smb4k/1.2.1-2, smb4k/1.2.1-2~deb8u1
Done: Maximiliano Curia <maxy@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>:
Bug#862505; Package src:smb4k.
(Sat, 13 May 2017 18:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>.
(Sat, 13 May 2017 18:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: smb4k
Version: 1.1.2-1
Severity: important
Tags: security patch upstream
Hi,
the following vulnerability was published for smb4k.
CVE-2017-8849[0]:
No description was found (try on a search engine)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-8849
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8849
[1] https://www.kde.org/info/security/advisory-20170510-2.txt
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Maximiliano Curia <maxy@debian.org>:
You have taken responsibility.
(Mon, 15 May 2017 10:42:19 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 15 May 2017 10:42:19 GMT) (full text, mbox, link).
Message #10 received at 862505-close@bugs.debian.org (full text, mbox, reply):
Source: smb4k
Source-Version: 1.2.1-2
We believe that the bug you reported is fixed in the latest version of
smb4k, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 862505@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Maximiliano Curia <maxy@debian.org> (supplier of updated smb4k package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 15 May 2017 12:18:34 +0200
Source: smb4k
Binary: smb4k
Architecture: source
Version: 1.2.1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>
Changed-By: Maximiliano Curia <maxy@debian.org>
Description:
smb4k - Samba (SMB) share advanced browser
Closes: 862505
Changes:
smb4k (1.2.1-2) unstable; urgency=medium
.
* Team upload.
* Cherry pick "Find the mount/umount commands in the helper"
This fixes CVE-2017-8849 (Closes: 862505)
Checksums-Sha1:
f71b183269fe5565a7ee0b81b015225ff11b4b90 2033 smb4k_1.2.1-2.dsc
2e112d63bcf08564ce40df91438c2477f57b5461 7360 smb4k_1.2.1-2.debian.tar.xz
cc4b5eb9a4dfe4234dcbee5670e1584ddce1145c 7328 smb4k_1.2.1-2_source.buildinfo
Checksums-Sha256:
91a6f6fe82fc0de93f5f845c4a1fee3f36dda153e4dd8eba64ca592e1cd889f4 2033 smb4k_1.2.1-2.dsc
5d8f900c3ed974183121358ced59ac7331fe5dc9bb9485bbb4654bb398cf604e 7360 smb4k_1.2.1-2.debian.tar.xz
007bc5a6f742422426d94f4aaad097d3806ab51db8b898a2cb63416e898be35b 7328 smb4k_1.2.1-2_source.buildinfo
Files:
3ca8f3f5889dd4d96c630a8891179892 2033 kde optional smb4k_1.2.1-2.dsc
494856e636419709302d52b4d824fa10 7360 kde optional smb4k_1.2.1-2.debian.tar.xz
d3632daef0148bfdfd8e4528cda979c9 7328 kde optional smb4k_1.2.1-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE+JIdOnQEyG4RNSIVxxl2mbKbIyoFAlkZgLAACgkQxxl2mbKb
IyoRQQ//c4Mw7AomGwwHQgI6uV29MDVJfwOE35ItZeE9/H27+ZfNWHhPSYPFUY8C
rYuJPbhTkoczK6iqP7nWc6ENgEhDIk+WTQy8RxIvxtqoMIxW04E/ZDVs1ECa6xKB
cubtGjGhQdLE8Y9SKuHRDyfXF9zoEcWkwXAxP6K7cgNi8JxWcjKzu+gBtIPxhZ7p
9+YmJch02T6g2cGxR8Oq7qTQ3f7GINj9xIYwvFF9roXmF8cZ8l7t+bGewK3YNNUa
IxVTQ0xSUA8IUJA4tihcaR4N3PXHmZWvuHiLDO3MzAGWXgvVvutIflAnZlwXFCQ8
HsfU0t5Myaodlkj80romJtRi6lo2md4X6Br5ShrAgqTEsdF3l10CshrR+3l/sxpg
zHlJ0Rj9HKiWdOhZ6PgUz8gn0sODdIZe+PsS5wuQcrorZvMli5n8wWm3gFKs/W20
be6wZ9bo1HtuazWOqWtdWRUxhyu5Mij1FZcg/Z3KcoII/cTZ4h458KbKSTXEh4W1
hDzAxOoBySIGKG92VGvqBvlPOguZoC/KrTlAG/lk/JU25YrsjEGAD4unbVJVFNwV
7eBWdsxNpPnbhZujiBAwJzMt8i5QS0PkkSltA6pvLgtkm0ti5NvZX+jzHWGeGSSU
OSSGJ0R3F5OGJJfW68JotNgQ63mQAbl2pXGfB7hiTMn5o7mie64=
=rDUp
-----END PGP SIGNATURE-----
Marked as found in versions smb4k/1.2.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 14 Jun 2017 17:12:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>:
Bug#862505; Package src:smb4k.
(Thu, 15 Jun 2017 03:45:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>.
(Thu, 15 Jun 2017 03:45:02 GMT) (full text, mbox, link).
Message #17 received at 862505@bugs.debian.org (full text, mbox, reply):
Control: found -1 1.1.2-1
Upstream (Albert Astals Cid) confirmed that the version in Jessie is
affected.
----cut---------cut---------cut---------cut---------cut---------cut-----
proc.setProgram( args["command"].toStringList() );
// Run the mount process.
proc.start();
----cut---------cut---------cut---------cut---------cut---------cut-----
The helper is then running whatever thing ones gives it through dbus.
Upstream suggestion whas to upgrade to a newer version, as backporting
is quite intrusive. if that's feasable on our end it's not clear.
Regards,
Salvatore
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 21 Jul 2017 07:25:03 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 23 Aug 2017 04:54:03 GMT) (full text, mbox, link).
Marked as fixed in versions smb4k/1.2.1-2~deb8u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 23 Aug 2017 04:54:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 28 Sep 2017 07:24:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:44:27 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon