Bug 200856 - kde-base/kdm and kde-base/kdebase: Local Denial of Service (CVE-2007-5963)
Bug#: 200856 (CVE-2007-5963) Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: rbu@gentoo.org
Component: Vulnerabilities
URL: 
Summary: kde-base/kdm and kde-base/kdebase: Local Denial of Service (CVE-2007-5963)
Keywords:  
Status Whiteboard: B3 [noglsa]
Opened: 2007-11-30 18:13 0000
Description:   Opened: 2007-11-30 18:13 0000 
From a pre-advisory:

1. Systems affected:

        KDM as shipped with KDE 3.2.0 up to including 3.5.8.


2. Overview:

        KDM can be tricked into hanging or eating memory by reading from
        special files (pipes or symlinks to devices), big or sparse files
        created in the users home directory.

        A regular user with a valid account is able to prepare his home
        directory in a way that will make login via KDM impossible for
        any user if KDM's user list display is enabled and users are
        permitted to add their own images. Given that the account can be
        identified easily, this issue is only sensitive for high
        security environments.

3. Impact:

        A regular user with a valid account is able to make login via KDM
        impossible. A regular user can also cause KDM to exceed the
        system resource limits.

3a. Workaround:

        The login DoS can be worked around by either disabling the user list
        feature entirely (UserList=false in kdmrc) or displaying only
        administratively assigned images (FaceSource=AdminOnly).

        The memory consumption issue can be worked around by setting an
        appropriate resource limit on KDM itself. Note that this affects 
        local X servers as well.

------- Comment #1 From Robert Buchholz 2007-11-30 18:15:40 0000 ------- 
Wulf, please do not commit anything yet. I'll attach a patch. If you want to
prepare an ebuild, please attach it to this bug.

------- Comment #2 From Robert Buchholz 2007-11-30 18:15:58 0000 ------- 
Created an attachment (id=137399) [details]
post-3.5.8-kdebase-kdm.diff

------- Comment #3 From Wulf Krueger (RETIRED) 2007-12-01 17:33:44 0000 ------- 
Fixed in kdm-3.5.8-r1 and kdebase-3.5.8-r2. This is not much of an issue,
though.

------- Comment #4 From Wulf Krueger (RETIRED) 2007-12-01 23:05:14 0000 ------- 
Now fixed in kdm-3.5.7-r3 and kdebase-3.5.7-r5, too, both of which should be
stabilised.

------- Comment #5 From Robert Buchholz 2007-12-01 23:28:43 0000 ------- 
Wulf, did you agree on a disclosure date with upstream?

CC'ing arch security liaisons, wolf31o2 for releng and armin76 and opfer for
support :-)

kde-base/kdm-3.5.7-r3:
Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86"

kde-base/kdebase-3.5.7-r5:
Target keywords : "alpha amd64 hppa ia64 mips ppc ppc64 sparc x86"

------- Comment #6 From Christian Faulhammer 2007-12-02 15:58:16 0000 ------- 
(In reply to comment #5)
> kde-base/kdebase-3.5.7-r5:
> Target keywords : "alpha amd64 hppa ia64 mips ppc ppc64 sparc x86"

 Stable for x86, kdm to follow by maekke...so watch out.

------- Comment #7 From Tobias Scherbaum 2007-12-02 17:11:38 0000 ------- 
both ppc stable

------- Comment #8 From Markus Rothe 2007-12-02 18:40:46 0000 ------- 
ppc64 stable

------- Comment #9 From Robert Buchholz 2007-12-04 16:44:39 0000 ------- 
Created an attachment (id=137716) [details]
kdm3-face-dos.diff

Dirk Müller pointed out that a part was missing from the attachment posted on
this bug. Attaching that additional hunk.

------- Comment #10 From Jeroen Roovers 2007-12-04 18:57:46 0000 ------- 
Stable for HPPA.

------- Comment #11 From Raúl Porcel 2007-12-04 20:53:27 0000 ------- 
alpha/ia64/sparc stable

------- Comment #12 From Raúl Porcel 2007-12-05 11:22:05 0000 ------- 
Adding welp the slacker so he can do it for amd64 if nobody does it before

------- Comment #13 From Peter Weller 2007-12-05 15:21:28 0000 ------- 
Aaaaaand! The slacker does it again! Stable on amd64 :-)

------- Comment #14 From Robert Buchholz 2007-12-06 00:18:21 0000 ------- 
This is ready for glsa vote.

I vote NO.

------- Comment #15 From Pierre-Yves Rofes 2007-12-14 15:43:05 0000 ------- 
no too, and closing. We'll unrestrict it once this goes public.

------- Comment #16 From Wulf Krueger (RETIRED) 2007-12-14 22:15:30 0000 ------- 
Upstream won't do anything about it. They don't consider this a real security
issue so this bug can be unrestricted.

------- Comment #17 From Robert Buchholz 2007-12-14 22:40:05 0000 ------- 
I was waiting for CVE-2007-5963 to get public, but Dirk also stated it is no
longer under embargo. Unrestricting.

------- Comment #18 From Jonathan Smith 2007-12-16 21:35:30 0000 ------- 
(In reply to comment #16)
> Upstream won't do anything about it. They don't consider this a real security
> issue so this bug can be unrestricted.

To clarify, they ARE going to fix it for the next upstream release, but just
don't feel it warrants an advisory.

------- Comment #19 From Peter Volkov 2008-03-06 09:53:47 0000 ------- 
Does not affect current (2008.0) release. Removing release.