From a pre-advisory: 1. Systems affected: KDM as shipped with KDE 3.2.0 up to including 3.5.8. 2. Overview: KDM can be tricked into hanging or eating memory by reading from special files (pipes or symlinks to devices), big or sparse files created in the users home directory. A regular user with a valid account is able to prepare his home directory in a way that will make login via KDM impossible for any user if KDM's user list display is enabled and users are permitted to add their own images. Given that the account can be identified easily, this issue is only sensitive for high security environments. 3. Impact: A regular user with a valid account is able to make login via KDM impossible. A regular user can also cause KDM to exceed the system resource limits. 3a. Workaround: The login DoS can be worked around by either disabling the user list feature entirely (UserList=false in kdmrc) or displaying only administratively assigned images (FaceSource=AdminOnly). The memory consumption issue can be worked around by setting an appropriate resource limit on KDM itself. Note that this affects local X servers as well.
Wulf, please do not commit anything yet. I'll attach a patch. If you want to prepare an ebuild, please attach it to this bug.
Created attachment 137399 [details, diff] post-3.5.8-kdebase-kdm.diff
Fixed in kdm-3.5.8-r1 and kdebase-3.5.8-r2. This is not much of an issue, though.
Now fixed in kdm-3.5.7-r3 and kdebase-3.5.7-r5, too, both of which should be stabilised.
Wulf, did you agree on a disclosure date with upstream? CC'ing arch security liaisons, wolf31o2 for releng and armin76 and opfer for support :-) kde-base/kdm-3.5.7-r3: Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86" kde-base/kdebase-3.5.7-r5: Target keywords : "alpha amd64 hppa ia64 mips ppc ppc64 sparc x86"
(In reply to comment #5) > kde-base/kdebase-3.5.7-r5: > Target keywords : "alpha amd64 hppa ia64 mips ppc ppc64 sparc x86" Stable for x86, kdm to follow by maekke...so watch out.
both ppc stable
ppc64 stable
Created attachment 137716 [details, diff] kdm3-face-dos.diff Dirk Müller pointed out that a part was missing from the attachment posted on this bug. Attaching that additional hunk.
Stable for HPPA.
alpha/ia64/sparc stable
Adding welp the slacker so he can do it for amd64 if nobody does it before
Aaaaaand! The slacker does it again! Stable on amd64 :-)
This is ready for glsa vote. I vote NO.
no too, and closing. We'll unrestrict it once this goes public.
Upstream won't do anything about it. They don't consider this a real security issue so this bug can be unrestricted.
I was waiting for CVE-2007-5963 to get public, but Dirk also stated it is no longer under embargo. Unrestricting.
(In reply to comment #16) > Upstream won't do anything about it. They don't consider this a real security > issue so this bug can be unrestricted. To clarify, they ARE going to fix it for the next upstream release, but just don't feel it warrants an advisory.
Does not affect current (2008.0) release. Removing release.
