KDE Security Advisory: KDM Local Privilege Escalation Vulnerability Original Release Date: 2010-04-13 URL: http://www.kde.org/info/security/advisory-20100413-1.txt 0. References CVE-2010-0436 1. Systems affected: KDM as shipped with KDE SC 2.2.0 up to including KDE SC 4.4.2 2. Overview: KDM contains a race condition that allows local attackers to make arbitrary files on the system world-writeable. This can happen while KDM tries to create its control socket during user login. This vulnerability has been discovered by Sebastian Krahmer from the SUSE Security Team. 3. Impact: A local attacker with a valid local account can under certain circumstances make use of this vulnerability to execute arbitrary code as root. 4. Solution: Source code patches have been made available which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages. 5. Patch: A patch for KDE 4.3.x-4.4.x is available from ftp://ftp.kde.org/pub/kde/security_patches : 68c1dfe76e80812e5e049bb599b3374e kdebase-workspace-4.3.5-CVE-2010-0436.diff http://www.kde.org/info/security/advisory-20100413-1.txt ftp://ftp.kde.org/pub/kde/security_patches/kdebase-workspace-4.3.5-CVE-2010-0436.diff
Thanks, Samuli. KDE, please provide a patched ebuild ASAP.
Fixed in kdm-4.3.5-r1, kdm-4.4.2-r2
(In reply to comment #2) > Fixed in kdm-4.3.5-r1, kdm-4.4.2-r2 > Note that HPPA refused to stabilize 4.3.5, so you ""need"" to maintain also 4.3.3 wrt http://bugs.gentoo.org/show_bug.cgi?id=300393#c7
CVE-2010-0436 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0436): Race condition in backend/ctrl.c in KDM in KDE Software Compilation (SC) 2.2.0 through 4.4.2 allows local users to change the permissions of arbitrary files, and consequently gain privileges, by blocking the removal of a certain directory that contains a control socket, related to improper interaction with ksm.
@security: was there any reason we have been waiting for a over month now for someone to CC arch's for kdm-4.3.5-r1 stabilization? @kde: are you still maintaining 4.3.3? we could use 4.3.3-r1 for hppa since they don't do newer versions and it's security supported arch (or is it?)
Local root exploit: http://stealth.openwall.net/xSports/bambule-digitale.c http://c-skills.blogspot.com/2010/04/cve-2010-0436-poc.html
(In reply to comment #5) > @security: > was there any reason we have been waiting for a over month now for someone to > CC arch's for kdm-4.3.5-r1 stabilization? No, sorry. Most of the team is inactive. > @kde: > are you still maintaining 4.3.3? we could use 4.3.3-r1 for hppa since they > don't do newer versions and it's security supported arch (or is it?) > It is. KDE, what's your take on this?
Arches, please test and mark stable: =kde-base/kdm-4.3.5-r1 Target keywords : "amd64 hppa ppc ppc64 x86"
x86 stable
amd64 stable
Marked ppc/ppc64 stable.
Whoops, only marked ppc, not ppc64, sorry for the noise.
Fixed in 4.4.4
ppc64, please test and mark stable as soon as possible: =kde-base/kdm-4.3.5-r1 KDE, please comment on comment #7 and at best provide a 4.3.3-r1 with the patch if possible
kdm-4.3.3 removed from tree
ready for glsa, I guess it should mention that hppa and ppc64 users should "emerge -C kdm"
glsa request filed.
CC us back if you need us again
This issue was resolved and addressed in GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml by GLSA coordinator Sean Amoss (ackle).