Candidate: CVE-2018-12562
PublicDate: 2018-06-19 05:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12562
 http://www.openwall.com/lists/oss-security/2018/06/18/1
 https://github.com/CDrummond/cantata/commit/afc4f8315d3e96574925fb530a7004cc9e6ce3d3
Description:
 An issue was discovered in the cantata-mounter D-Bus service in Cantata
 through 2.3.1. The wrapper script 'mount.cifs.wrapper' uses the shell to
 forward the arguments to the actual mount.cifs binary. The shell evaluates
 wildcards (such as in an injected string:/home/../tmp/* string).
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901798
Priority: high
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_cantata:
upstream_cantata: released (2.3.0.ds1-2)
precise/esm_cantata: DNE
trusty_cantata: ignored (reached end-of-life)
trusty/esm_cantata: DNE (trusty was needs-triage)
xenial_cantata: not-affected (vulnerable code not built)
artful_cantata: ignored (reached end-of-life)
bionic_cantata: not-affected (vulnerable code not built)
cosmic_cantata: not-affected (2.3.0.ds1-2)
disco_cantata: not-affected (2.3.0.ds1-2)
eoan_cantata: not-affected (2.3.0.ds1-2)
devel_cantata: not-affected (2.3.0.ds1-2)