Bugzilla – Bug 869828
VUL-0: CVE-2014-2581: smb4k: credentials cache leak
Last modified: 2017-07-13 11:13:08 UTC
via oss-sec Date: Mon, 24 Mar 2014 16:19:51 +1100 From: Murray McAllister <mmcallis@redhat.com> Subject: [oss-security] possible CVE request: smb4k credentials cache leak Hi, https://bugs.gentoo.org/show_bug.cgi?id=505376 notes that smb4k (an SMB/CIFS share browser for KDE) version 1.1.1 fixes a potential security issue: "Fixed potential security issue reported by Heiner Markert. Do not allow the cruid option to be entered via the "Additional options" line edit. Also, implement a check in Smb4KMountJob::createMountAction() that removes the cruid option from the custom options returned by Smb4KSettings::customCIFSOptions()." http://sourceforge.net/projects/smb4k/files/Smb4K%20%28stable%20releases%29/1.1.1/ Does it need a CVE? I do not have further details, sorry. -- Murray McAllister / Red Hat Security Response Team https://bugzilla.redhat.com/show_bug.cgi?id=1079819
bugbot adjusting priority
CVE-2014-2581 was assigned by Mitre
still open for openSUSE
I am very sorry, but this bug will not be fixed until smb4k is ported to KF5. The submission of newer version of smb4k is depending on bnc#869969, but Sebastian does not agree with the underlying usage/structure of KAuth. As that this will not be changed for the KDE4 network, we can not move forward nor backward. At least newer versions for smb4k are being offered through KDE:Extra for the users, but due to the rpmlint errors we can not move it to Factory/Tumbleweed/Maintenance
(In reply to Raymond Wooninck from comment #4) Thanks for the explanation, then we have to wait for now. Users looking here for a fix have your suggestion to use, that's good enough for now
fixed in current Leap