Arch Linux Security Advisory ASA-201705-11 ========================================== Severity: High Date : 2017-05-10 CVE-ID : CVE-2017-8849 Package : smb4k Type : privilege escalation Remote : No Link : https://security.archlinux.org/AVG-268 Summary ======= The package smb4k before version 2.0.0-2 is vulnerable to privilege escalation. Resolution ========== Upgrade to 2.0.0-2. # pacman -Syu "smb4k>=2.0.0-2" The problem has been fixed upstream but no release is available yet. Workaround ========== None. Description =========== Smb4k <= 2.0.0 contains a logic flaw in which mount helper binary does not properly verify the mount command it is being asked to run. This allows calling any other binary as root since the mount helper is typically installed as suid. Impact ====== A local, unprivileged attacker can escalate privileges to become root on the affected host. References ========== https://www.kde.org/info/security/advisory-20170510-2.txt http://seclists.org/oss-sec/2017/q2/240 https://commits.kde.org/smb4k/a90289b0962663bc1d247bbbd31b9e65b2ca000e https://security.archlinux.org/CVE-2017-8849