Bug 1099268 (CVE-2018-12562)

Summary: VUL-0: CVE-2018-12562: cantata: Insufficient input validation in the 'mount.cifs.wrapper' script
Product: [openSUSE] openSUSE Distribution Reporter: Alexander Bergmann <abergmann>
Component: SecurityAssignee: Cor Blom <cornelis>
Status: RESOLVED DUPLICATE QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None    
Version: Leap 15.0   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/208465/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2018-06-27 09:04:04 UTC 
rh#1595570

An issue was discovered in the cantata-mounter D-Bus service in Cantata through
2.3.1. The wrapper script 'mount.cifs.wrapper' uses the shell to forward the
arguments to the actual mount.cifs binary. The shell evaluates wildcards (such
as in an injected string:/home/../tmp/* string).

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1595570
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12562
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12562.html
Comment 1 Cor Blom 2018-06-27 11:08:20 UTC 
We don't build with this option.

*** This bug has been marked as a duplicate of bug 1091824 ***