KDE Security Advisory: KDM symlink attack vulnerability
Original Release Date: 2006-06-15
1. Systems affected:
KDM as shipped with KDE 3.2.0 up to including 3.5.3. KDE 3.1.x and
older and newer versions than KDE 3.5.3 are not affected.
KDM allows the user to select the session type for login. This
setting is permanently stored in the user home directory. By
using a symlink attack, KDM can be tricked into allowing the
user to read file content that would otherwise be unreadable
to this particular user. This vulnerability was discovered
and reported by Ludwig Nussel.
KDM might allow a normal user to read the content of /etc/shadow
or other files, which allows compromising the privacy of another
user or even the security of the whole system.
Source code patches have been made available which fix these
vulnerabilities. Contact your OS vendor / binary package provider
for information about how to obtain updated binary packages.
A patch for KDE 3.4.0 - KDE 3.5.3 is available from
A patch for KDE 3.3.x is available from
A patch for KDE 3.2.x is available from
Created attachment 88772 [details, diff]
Created attachment 88773 [details, diff]
Created attachment 88774 [details, diff]
Carlo here it was, please provide updated ebuilds. <friendly reminder>Don't commit anything to Portage yet</friendly reminder>
Created attachment 88902 [details]
Created attachment 88903 [details]
O.k., these are the kdm ebuilds to be tested ( as much as this trivial patch needs to be tested). I'll commit the corresponding kdebase ebuilds directly to the tree in time. Please assure you have synced, since I did some changes to the kde eclasses with regards to patch handling.
arches please test and report back if this is stable. as always: _don't_ commit to the tree!
Passing on to weeve, he's our kde mofo and i'm not quite yet feeling good anyway.
compiles and runs fine on PPC64, even though I'm not sure how to test if security issue is fixed... guess it just *is*.
Arche Sec Liaisons please note that public disclosure is tomorrow so we are in a bit of a hurry here.
Tomorrow as in 13 Jun 2006 or 14 Jun 2006?
/me doesn't know what timezone you are in.
(In reply to comment #10)
> compiles and runs fine on PPC64, even though I'm not sure how to test if
> security issue is fixed... guess it just *is*.
Formerly KDM was fine with reading ~/.dmrc - as long as it succeeded. A user could replace his ~/.dmrc with a symlink to another file to get e.g. the content of /etc/shadow. Looking at the code, this is not possible anymore, but you can still test of course. :)
(In reply to comment #12)
> Tomorrow as in 13 Jun 2006 or 14 Jun 2006?
14th 16:00 GMT
Looks good on SPARC. I'm fine with it being keyworded.
Looks also good on ppc.
Announcement is out, so the bug can be opened and arch teams cc'ed.
with ppc and sparc stable. Other arch teams are asked to follow asap. Thanks. :)
Arches please test and mark stable asap.
*** Bug 136807 has been marked as a duplicate of this bug. ***
Duh, I missed to commit the most important file - the patch. :( It's in cvs now.
kdm-3.4.3-r2, kdm-3.5.2-r1, kdebase-3.4.3-r2, and kdebase-3.5.2-r2 stable on alpha and amd64. Sorry for the delay, this one required quite a bit of compiling ;)
stable on ppc64
stable on hppa
Didn't want to wait forever on second pair of eyes. Stable on x86.
Ready for GLSA.
Security please review draft.
ia64,mips don't forget to mark stable to benifit from the GLSA.
In this bug report it says "fixed in kdm-3.5.2-r1" but in the GLSA it says "vulnerable < 3.5.2-r2" and "unaffected >= 3.5.2-r2". Since I can't find an kdm-3.5.2-r2 in my just synced portage tree, I think it's an typo in the GLSA.
As Horst said, the GLSA isn't correct.
Sorry for that, should be fixed in CVS now. Thanks for reporting this.