Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 218933
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Matthias Geerdsen <vorlon@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
post-kde-3.5.5-kinit.diff patch for KDE 3.5.5 - KDE 3.5.9 patch Matthias Geerdsen 2008-04-22 19:35 0000 3.87 KB Details | Diff
kdelibs-3.5.8-r4.ebuild kde-base/kdelibs/kdelibs-3.5.8-r4.ebuild text/plain Ingmar Vanhassel (RETIRED) 2008-04-23 12:24 0000 5.94 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 218933 depends on: Show dependency tree
Bug 218933 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-04-22 19:33 0000 
Please note that this issue is under embargo until 2008-04-25. *Do not commit*
anything to CVS and keep any information confidential until that date.

Advisory Draft

1. Systems affected:

        start_kdeinit of KDE 3.x as of KDE 3.5.5 or newer. KDE 4.0
        and newer is not affected. Only Linux platform is affected.


2. Overview:

        start_kdeinit is a wrapper to launch kdeinit with a lower OOM
        score on Linux. This helper is used to ensure that a
        single KDE application triggering the Linux kernel OOM killer
        does not kill the whole KDE session. By default,
        start_kdeinit is installed as setuid root. The start_kdeinit
        processing of user-influenceable input is faulty.

3. Impact:

        If start_kdeinit is installed as setuid root, a local user
        might be able to send unix signals to other processes, cause
        a denial of service or even possibly execute arbitrary code.

------- Comment #1 From Matthias Geerdsen 2008-04-22 19:35:33 0000 ------- 
Created an attachment (id=150638) [details]
patch for KDE 3.5.5 - KDE 3.5.9

------- Comment #2 From Matthias Geerdsen 2008-04-22 19:37:49 0000 ------- 
Please prepare an ebuild with the patch and put it up here so we can call the
arch security liaisons to test it. 

Do not commit anything to CVS before this has been made public.

------- Comment #3 From Ingmar Vanhassel (RETIRED) 2008-04-23 12:24:00 0000 ------- 
Created an attachment (id=150693) [details]
kde-base/kdelibs/kdelibs-3.5.8-r4.ebuild

Ebuild attached, the patch posted earlier goes in as
files/kdelibs-3.5.8-kinit-CVE-FIXME.patch
The 3.5.9 ebuilds will get the same treatement, when I'm allowed to commit.

------- Comment #4 From Robert Buchholz 2008-04-23 15:46:47 0000 ------- 
Use CVE-2008-1671 when committing then.

Arch Security Liaisons, please test the attached ebuild and report it stable on
this bug.
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 release sparc x86"

CC'ing current Liaisons:
   alpha : ferdy
   amd64 : welp
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
 release : pva
   sparc : fmccor
     x86 : opfer

------- Comment #5 From Jeroen Roovers 2008-04-24 03:12:11 0000 ------- 
That's OK for HPPA.

------- Comment #6 From Raúl Porcel 2008-04-24 08:55:40 0000 ------- 
Looks okay on alpha/ia64/sparc/x86

------- Comment #7 From Markus Rothe 2008-04-24 16:35:32 0000 ------- 
looks good on ppc64

------- Comment #8 From Tobias Scherbaum 2008-04-24 19:00:41 0000 ------- 
good to go on ppc

------- Comment #9 From Wulf Krueger (RETIRED) 2008-04-26 21:06:27 0000 ------- 
As asked for by welp I've tested on amd64 on which it's fine, too.

------- Comment #10 From Robert Buchholz 2008-04-27 10:12:02 0000 ------- 
This is public via $URL. KDE, please commit to the tree straight to stable for
the arches that reported back. Thanks, everyone.

------- Comment #11 From Jeroen Roovers 2008-04-28 12:34:18 0000 ------- 
I am well aware I am no member of the KDE project, but since it's a right mess
at the moment I have committed Ye Ebuilde And Patche to the tree.

# ChangeLog for kde-base/kdelibs
# Copyright 2002-2008 Gentoo Foundation; Distributed under the GPL v2
# $Header: /var/cvsroot/gentoo-x86/kde-base/kdelibs/ChangeLog,v 1.523
2008/04/28 12:32:23 jer Exp $

*kdelibs-3.5.8-r4 (28 Apr 2008)

  28 Apr 2008; Jeroen Roovers <jer@gentoo.org>
  +files/kdelibs-3.5.8-kinit-CVE-2008-1671.patch, +kdelibs-3.5.8-r4.ebuild:
  Straight to stable (bug #218933).

------- Comment #12 From Ingmar Vanhassel (RETIRED) 2008-04-28 12:45:05 0000 ------- 
(In reply to comment #11)
> I am well aware I am no member of the KDE project, but since it's a right mess
> at the moment I have committed Ye Ebuilde And Patche to the tree.

I was out during the weekend, had Wulf not been retired today, he would've
committed what I posted in #c3 first thing in the morning.
~arch done too.

------- Comment #13 From Peter Volkov 2008-04-29 06:26:17 0000 ------- 
Fixed in release snapshot.

------- Comment #14 From Matthias Geerdsen 2008-04-29 12:34:34 0000 ------- 
GLSA 200804-30

thanks everyone
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug