Summary: | kde-base/kdebase KDM symlink vulnerability (CVE-2006-2449) | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> | ||||||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||||||
Status: | RESOLVED FIXED | ||||||||||||||
Severity: | normal | CC: | dertobi123, jlp.bugs, kde, tcort, tsunam, weeve | ||||||||||||
Priority: | High | ||||||||||||||
Version: | unspecified | ||||||||||||||
Hardware: | All | ||||||||||||||
OS: | Linux | ||||||||||||||
URL: | http://www.kde.org/info/security/advisory-20060614-1.txt | ||||||||||||||
Whiteboard: | A3 [glsa] jaervosz | ||||||||||||||
Package list: | Runtime testing required: | --- | |||||||||||||
Attachments: |
|
Description
Sune Kloppenborg Jeppesen (RETIRED)
2006-06-09 08:16:48 UTC
Created attachment 88772 [details, diff]
post-3.2.0-kdebase-kdm.diff
Created attachment 88773 [details, diff]
post-3.3.0-kdebase-kdm.diff
Created attachment 88774 [details, diff]
post-3.5.0-kdebase-kdm.diff
Carlo here it was, please provide updated ebuilds. <friendly reminder>Don't commit anything to Portage yet</friendly reminder> Created attachment 88902 [details]
kdm-3.5.2-r1.ebuild
Created attachment 88903 [details]
kdm-3.4.3-r2.ebuild
O.k., these are the kdm ebuilds to be tested ( as much as this trivial patch needs to be tested). I'll commit the corresponding kdebase ebuilds directly to the tree in time. Please assure you have synced, since I did some changes to the kde eclasses with regards to patch handling. arches please test and report back if this is stable. as always: _don't_ commit to the tree! Passing on to weeve, he's our kde mofo and i'm not quite yet feeling good anyway. compiles and runs fine on PPC64, even though I'm not sure how to test if security issue is fixed... guess it just *is*. Arche Sec Liaisons please note that public disclosure is tomorrow so we are in a bit of a hurry here. Tomorrow as in 13 Jun 2006 or 14 Jun 2006? /me doesn't know what timezone you are in. (In reply to comment #10) > compiles and runs fine on PPC64, even though I'm not sure how to test if > security issue is fixed... guess it just *is*. > Formerly KDM was fine with reading ~/.dmrc - as long as it succeeded. A user could replace his ~/.dmrc with a symlink to another file to get e.g. the content of /etc/shadow. Looking at the code, this is not possible anymore, but you can still test of course. :) (In reply to comment #12) > Tomorrow as in 13 Jun 2006 or 14 Jun 2006? 14th 16:00 GMT Looks good on SPARC. I'm fine with it being keyworded. Looks also good on ppc. Announcement is out, so the bug can be opened and arch teams cc'ed. Committed kdm-3.4.3-r2 kdm-3.5.2-r1 kdebase-3.4.3-r2 kdebase-3.5.2-r2 with ppc and sparc stable. Other arch teams are asked to follow asap. Thanks. :) Arches please test and mark stable asap. *** Bug 136807 has been marked as a duplicate of this bug. *** Duh, I missed to commit the most important file - the patch. :( It's in cvs now. kdm-3.4.3-r2, kdm-3.5.2-r1, kdebase-3.4.3-r2, and kdebase-3.5.2-r2 stable on alpha and amd64. Sorry for the delay, this one required quite a bit of compiling ;) stable on ppc64 stable on hppa Didn't want to wait forever on second pair of eyes. Stable on x86. Thx Carsten. Ready for GLSA. Security please review draft. GLSA 200606-23 ia64,mips don't forget to mark stable to benifit from the GLSA. In this bug report it says "fixed in kdm-3.5.2-r1" but in the GLSA it says "vulnerable < 3.5.2-r2" and "unaffected >= 3.5.2-r2". Since I can't find an kdm-3.5.2-r2 in my just synced portage tree, I think it's an typo in the GLSA. As Horst said, the GLSA isn't correct. Sorry for that, should be fixed in CVS now. Thanks for reporting this. |