Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 192373

Summary: kde-base/kdm and kde-base/kdebase (all versions in tree): KDM password less login vulnerability (CVE-2007-4569)
Product: Gentoo Security Reporter: Wulf Krueger (RETIRED) <philantrop>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major Keywords: SECURITY, STABLEREQ
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1? [glsa]
Package list:
Runtime testing required: ---

Description Wulf Krueger (RETIRED) gentoo-dev 2007-09-12 23:52:27 UTC
From the advisory which will be released soon:

"KDM might allow a normal user to login as another user or even	root without properly supplying login credentials."

Upstream explicitly requested not to release this to the general public yet which is why I restrict this bug to devs-only for now. Upstream provided a patch which is already in the following package revisions which should be stabilised ASAP:

Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-09-13 09:42:48 UTC
Category "Gentoo Linux->Security" is deprecated.
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2007-09-13 09:49:33 UTC
Cleaning up
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2007-09-13 09:55:45 UTC
Wulf unfortunately this bug was public for a few moments (when moving it to the correct Bugzilla Product caused access restrictions to be removed). Will you please contact upstream and dicuss how to proceed?

I'll call arch security liaisons in a moment as arch aliases don't work on security bugs.
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2007-09-13 09:59:34 UTC
Arch security liaisons please test and mark stable.
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2007-09-13 10:01:34 UTC
rbu please don't unrestrict again :)
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2007-09-13 15:16:16 UTC
alpha/ia64/x86 stable
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2007-09-13 20:16:32 UTC
ppc64 stable
Comment 8 Wulf Krueger (RETIRED) gentoo-dev 2007-09-13 20:34:10 UTC
(In reply to comment #3)
> Wulf unfortunately this bug was public for a few moments (when moving it to the
> correct Bugzilla Product caused access restrictions to be removed). Will you
> please contact upstream and dicuss how to proceed?

The problem itself is fixed in Gentoo, this bug is restricted again - that's what's important. The KDE advisory about this problem will be published on September, 19th so just keeping this restricted (and stabilising the new revs) until then is sufficient.
Comment 9 Wulf Krueger (RETIRED) gentoo-dev 2007-09-14 21:37:54 UTC
Marked stable on amd64.
Comment 10 solar (RETIRED) gentoo-dev 2007-09-20 15:36:22 UTC
This is public now.
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2007-09-20 16:40:29 UTC
ppc done
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2007-09-20 17:02:20 UTC
adding the sparc alias (last remaining arc)
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2007-09-25 20:49:27 UTC
Rerating since I don't think we're vulnerable in the default configuration.

KDM can be tricked into performing a password-less login even for accounts with a password set under certain circumstances. It requires autologin to be configured and "shutdown with password" enabled.
Comment 14 Tiago Cunha (RETIRED) gentoo-dev 2007-09-26 03:57:40 UTC
kde-base/kdebase-3.5.7-r4  USE="branding hal opengl pam -arts -cups -debug
-ieee1394 (-java) -kdeenablefinal (-kdehiddenvisibility) -ldap (-lm_sensors)
-logitech-mouse -openexr -samba -xcomposite -xinerama -xscreensaver"

1. Emerges on SPARC.
2. No collisions.
3. Test phase ok.

kde-base/kdm-3.5.7-r2  USE="pam -arts -debug -kdeenablefinal (-kdehiddenvisibility) -xinerama"

1. Emerges on SPARC.
2. No collisions.
3. Test phase ok.
4. Works.

Portage (default-linux/sparc/sparc64/2007.0, gcc-4.1.2, glibc-2.5-r4, 2.6.22-gentoo-r5 sparc64)
System uname: 2.6.22-gentoo-r5 sparc64 sun4u
Timestamp of tree: Sat, 22 Sep 2007 08:20:01 +0000
app-shells/bash:     3.2_p17
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.7.9-r1, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.21
CFLAGS="-O2 -mcpu=ultrasparc -pipe"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/init.d /etc/pam.d /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -mcpu=ultrasparc -pipe"
FEATURES="ccache collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch userpriv usersandbox"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
USE="X acl bash-completion bitmap-fonts branding bzip2 cli cracklib crypt dbus dri fortran gdbm gif gnome gtk hal iconv ipv6 isdnlog jpeg midi mudflap ncurses nptl nptlonly offensive opengl openmp pam pcre perl png postgres ppds pppd python readline reflection session sparc spl ssl svg tcpd test tiff truetype truetype-fonts type1-fonts xml xorg xv zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="sunffb"
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2007-09-26 10:40:08 UTC
sparc stable, thanks Tiago

Removing all liaisons as well, since this is public
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-15 05:10:47 UTC
GLSA 200710-15