KDE Security Advisory: KDM symlink attack vulnerability Original Release Date: 2006-06-15 URL: http://www.kde.org/info/security/advisory-20060615-1.txt 0. References CVE XXXXX-FIXME 1. Systems affected: KDM as shipped with KDE 3.2.0 up to including 3.5.3. KDE 3.1.x and older and newer versions than KDE 3.5.3 are not affected. 2. Overview: KDM allows the user to select the session type for login. This setting is permanently stored in the user home directory. By using a symlink attack, KDM can be tricked into allowing the user to read file content that would otherwise be unreadable to this particular user. This vulnerability was discovered and reported by Ludwig Nussel. 3. Impact: KDM might allow a normal user to read the content of /etc/shadow or other files, which allows compromising the privacy of another user or even the security of the whole system. 4. Solution: Source code patches have been made available which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages. 5. Patch: A patch for KDE 3.4.0 - KDE 3.5.3 is available from ftp://ftp.kde.org/pub/kde/security_patches : 9daecff07d57dabba35da247e752916a post-3.5.0-kdebase-kdm.diff A patch for KDE 3.3.x is available from ftp://ftp.kde.org/pub/kde/security_patches : f2e1424d97f2cd18674bef833274c5e3 post-3.3.0-kdebase-kdm.diff A patch for KDE 3.2.x is available from ftp://ftp.kde.org/pub/kde/security_patches : 8aa6b41cccca4216c6eb1cf705c2370a post-3.2.0-kdebase-kdm.diff
Created attachment 88772 [details, diff] post-3.2.0-kdebase-kdm.diff
Created attachment 88773 [details, diff] post-3.3.0-kdebase-kdm.diff
Created attachment 88774 [details, diff] post-3.5.0-kdebase-kdm.diff
Carlo here it was, please provide updated ebuilds. <friendly reminder>Don't commit anything to Portage yet</friendly reminder>
Created attachment 88902 [details] kdm-3.5.2-r1.ebuild
Created attachment 88903 [details] kdm-3.4.3-r2.ebuild
O.k., these are the kdm ebuilds to be tested ( as much as this trivial patch needs to be tested). I'll commit the corresponding kdebase ebuilds directly to the tree in time. Please assure you have synced, since I did some changes to the kde eclasses with regards to patch handling.
arches please test and report back if this is stable. as always: _don't_ commit to the tree!
Passing on to weeve, he's our kde mofo and i'm not quite yet feeling good anyway.
compiles and runs fine on PPC64, even though I'm not sure how to test if security issue is fixed... guess it just *is*.
Arche Sec Liaisons please note that public disclosure is tomorrow so we are in a bit of a hurry here.
Tomorrow as in 13 Jun 2006 or 14 Jun 2006? /me doesn't know what timezone you are in.
(In reply to comment #10) > compiles and runs fine on PPC64, even though I'm not sure how to test if > security issue is fixed... guess it just *is*. > Formerly KDM was fine with reading ~/.dmrc - as long as it succeeded. A user could replace his ~/.dmrc with a symlink to another file to get e.g. the content of /etc/shadow. Looking at the code, this is not possible anymore, but you can still test of course. :) (In reply to comment #12) > Tomorrow as in 13 Jun 2006 or 14 Jun 2006? 14th 16:00 GMT
Looks good on SPARC. I'm fine with it being keyworded.
Looks also good on ppc.
Announcement is out, so the bug can be opened and arch teams cc'ed. Committed kdm-3.4.3-r2 kdm-3.5.2-r1 kdebase-3.4.3-r2 kdebase-3.5.2-r2 with ppc and sparc stable. Other arch teams are asked to follow asap. Thanks. :)
Arches please test and mark stable asap.
*** Bug 136807 has been marked as a duplicate of this bug. ***
Duh, I missed to commit the most important file - the patch. :( It's in cvs now.
kdm-3.4.3-r2, kdm-3.5.2-r1, kdebase-3.4.3-r2, and kdebase-3.5.2-r2 stable on alpha and amd64. Sorry for the delay, this one required quite a bit of compiling ;)
stable on ppc64
stable on hppa
Didn't want to wait forever on second pair of eyes. Stable on x86.
Thx Carsten. Ready for GLSA. Security please review draft.
GLSA 200606-23 ia64,mips don't forget to mark stable to benifit from the GLSA.
In this bug report it says "fixed in kdm-3.5.2-r1" but in the GLSA it says "vulnerable < 3.5.2-r2" and "unaffected >= 3.5.2-r2". Since I can't find an kdm-3.5.2-r2 in my just synced portage tree, I think it's an typo in the GLSA.
As Horst said, the GLSA isn't correct.
Sorry for that, should be fixed in CVS now. Thanks for reporting this.