Bug 136201 - kde-base/kdebase KDM symlink vulnerability (CVE-2006-2449)
|
Bug#:
136201
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: jaervosz@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://www.kde.org/info/security/advisory-20060614-1.txt
|
|
Summary: kde-base/kdebase KDM symlink vulnerability (CVE-2006-2449)
|
|
Keywords:
|
|
Status Whiteboard: A3 [glsa] jaervosz
|
|
Opened: 2006-06-09 08:16 0000
|
KDE Security Advisory: KDM symlink attack vulnerability
Original Release Date: 2006-06-15
URL: http://www.kde.org/info/security/advisory-20060615-1.txt
0. References
CVE XXXXX-FIXME
1. Systems affected:
KDM as shipped with KDE 3.2.0 up to including 3.5.3. KDE 3.1.x and
older and newer versions than KDE 3.5.3 are not affected.
2. Overview:
KDM allows the user to select the session type for login. This
setting is permanently stored in the user home directory. By
using a symlink attack, KDM can be tricked into allowing the
user to read file content that would otherwise be unreadable
to this particular user. This vulnerability was discovered
and reported by Ludwig Nussel.
3. Impact:
KDM might allow a normal user to read the content of /etc/shadow
or other files, which allows compromising the privacy of another
user or even the security of the whole system.
4. Solution:
Source code patches have been made available which fix these
vulnerabilities. Contact your OS vendor / binary package provider
for information about how to obtain updated binary packages.
5. Patch:
A patch for KDE 3.4.0 - KDE 3.5.3 is available from
ftp://ftp.kde.org/pub/kde/security_patches :
9daecff07d57dabba35da247e752916a post-3.5.0-kdebase-kdm.diff
A patch for KDE 3.3.x is available from
ftp://ftp.kde.org/pub/kde/security_patches :
f2e1424d97f2cd18674bef833274c5e3 post-3.3.0-kdebase-kdm.diff
A patch for KDE 3.2.x is available from
ftp://ftp.kde.org/pub/kde/security_patches :
8aa6b41cccca4216c6eb1cf705c2370a post-3.2.0-kdebase-kdm.diff
Carlo here it was, please provide updated ebuilds. <friendly reminder>Don't
commit anything to Portage yet</friendly reminder>
O.k., these are the kdm ebuilds to be tested ( as much as this trivial patch
needs to be tested). I'll commit the corresponding kdebase ebuilds directly to
the tree in time. Please assure you have synced, since I did some changes to
the kde eclasses with regards to patch handling.
arches please test and report back if this is stable. as always: _don't_ commit
to the tree!
Passing on to weeve, he's our kde mofo and i'm not quite yet feeling good
anyway.
compiles and runs fine on PPC64, even though I'm not sure how to test if
security issue is fixed... guess it just *is*.
Arche Sec Liaisons please note that public disclosure is tomorrow so we are in
a bit of a hurry here.
Tomorrow as in 13 Jun 2006 or 14 Jun 2006?
/me doesn't know what timezone you are in.
(In reply to comment #10)
> compiles and runs fine on PPC64, even though I'm not sure how to test if
> security issue is fixed... guess it just *is*.
>
Formerly KDM was fine with reading ~/.dmrc - as long as it succeeded. A user
could replace his ~/.dmrc with a symlink to another file to get e.g. the
content of /etc/shadow. Looking at the code, this is not possible anymore, but
you can still test of course. :)
(In reply to comment #12)
> Tomorrow as in 13 Jun 2006 or 14 Jun 2006?
14th 16:00 GMT
Looks good on SPARC. I'm fine with it being keyworded.
Announcement is out, so the bug can be opened and arch teams cc'ed.
Committed
kdm-3.4.3-r2
kdm-3.5.2-r1
kdebase-3.4.3-r2
kdebase-3.5.2-r2
with ppc and sparc stable. Other arch teams are asked to follow asap. Thanks.
:)
Arches please test and mark stable asap.
*** Bug 136807 has been marked as a duplicate of this bug. ***
Duh, I missed to commit the most important file - the patch. :( It's in cvs
now.
kdm-3.4.3-r2, kdm-3.5.2-r1, kdebase-3.4.3-r2, and kdebase-3.5.2-r2 stable on
alpha and amd64. Sorry for the delay, this one required quite a bit of
compiling ;)
Didn't want to wait forever on second pair of eyes. Stable on x86.
Thx Carsten.
Ready for GLSA.
Security please review draft.
GLSA 200606-23
ia64,mips don't forget to mark stable to benifit from the GLSA.
In this bug report it says "fixed in kdm-3.5.2-r1" but in the GLSA it says
"vulnerable < 3.5.2-r2" and "unaffected >= 3.5.2-r2". Since I can't find an
kdm-3.5.2-r2 in my just synced portage tree, I think it's an typo in the GLSA.
As Horst said, the GLSA isn't correct.
Sorry for that, should be fixed in CVS now. Thanks for reporting this.
