Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 136201 - kde-base/kdebase KDM symlink vulnerability (CVE-2006-2449)
Summary: kde-base/kdebase KDM symlink vulnerability (CVE-2006-2449)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.kde.org/info/security/advi...
Whiteboard: A3 [glsa] jaervosz
Keywords:
: 136807 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-06-09 08:16 UTC by Sune Kloppenborg Jeppesen
Modified: 2007-05-31 10:55 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
post-3.2.0-kdebase-kdm.diff (post-3.2.0-kdebase-kdm.diff,485 bytes, patch)
2006-06-09 08:17 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff
post-3.3.0-kdebase-kdm.diff (post-3.3.0-kdebase-kdm.diff,644 bytes, patch)
2006-06-09 08:17 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff
post-3.5.0-kdebase-kdm.diff (post-3.5.0-kdebase-kdm.diff,508 bytes, patch)
2006-06-09 08:18 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff
kdm-3.5.2-r1.ebuild (kdm-3.5.2-r1.ebuild,2.38 KB, text/plain)
2006-06-11 06:26 UTC, Carsten Lohrke (RETIRED)
no flags Details
kdm-3.4.3-r2.ebuild (kdm-3.4.3-r2.ebuild,2.70 KB, text/plain)
2006-06-11 06:26 UTC, Carsten Lohrke (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2006-06-09 08:16:48 UTC
KDE Security Advisory: KDM symlink attack vulnerability
Original Release Date: 2006-06-15
URL: http://www.kde.org/info/security/advisory-20060615-1.txt

0. References
        CVE XXXXX-FIXME


1. Systems affected:

	KDM as shipped with KDE 3.2.0 up to including 3.5.3. KDE 3.1.x and
	older and newer versions than KDE 3.5.3 are not affected. 


2. Overview:

	KDM allows the user to select the session type for login. This
        setting is permanently stored in the user home directory. By
        using a symlink attack, KDM can be tricked into allowing the
        user to read file content that would otherwise be unreadable
        to this particular user. This vulnerability was discovered
	and reported by Ludwig Nussel.
       

3. Impact:

	KDM might allow a normal user to read the content of /etc/shadow
        or other files, which allows compromising the privacy of another
        user or even the security of the whole system.

4. Solution:

        Source code patches have been made available which fix these
        vulnerabilities. Contact your OS vendor / binary package provider
        for information about how to obtain updated binary packages.


5. Patch:

        A patch for KDE 3.4.0 - KDE 3.5.3 is available from
        ftp://ftp.kde.org/pub/kde/security_patches :

	9daecff07d57dabba35da247e752916a  post-3.5.0-kdebase-kdm.diff

        A patch for KDE 3.3.x is available from
        ftp://ftp.kde.org/pub/kde/security_patches :

	f2e1424d97f2cd18674bef833274c5e3  post-3.3.0-kdebase-kdm.diff

        A patch for KDE 3.2.x is available from
        ftp://ftp.kde.org/pub/kde/security_patches :

	8aa6b41cccca4216c6eb1cf705c2370a  post-3.2.0-kdebase-kdm.diff
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-09 08:17:29 UTC
Created attachment 88772 [details, diff]
post-3.2.0-kdebase-kdm.diff
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-09 08:17:51 UTC
Created attachment 88773 [details, diff]
post-3.3.0-kdebase-kdm.diff
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-09 08:18:11 UTC
Created attachment 88774 [details, diff]
post-3.5.0-kdebase-kdm.diff
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-09 08:22:07 UTC
Carlo here it was, please provide updated ebuilds. <friendly reminder>Don't commit anything to Portage yet</friendly reminder>
Comment 5 Carsten Lohrke (RETIRED) gentoo-dev 2006-06-11 06:26:31 UTC
Created attachment 88902 [details]
kdm-3.5.2-r1.ebuild
Comment 6 Carsten Lohrke (RETIRED) gentoo-dev 2006-06-11 06:26:58 UTC
Created attachment 88903 [details]
kdm-3.4.3-r2.ebuild
Comment 7 Carsten Lohrke (RETIRED) gentoo-dev 2006-06-11 06:35:37 UTC
O.k., these are the kdm ebuilds to be tested ( as much as this trivial patch needs to be tested). I'll commit the corresponding kdebase ebuilds directly to the tree in time. Please assure you have synced, since I did some changes to the kde eclasses with regards to patch handling.
Comment 8 Stefan Cornelius (RETIRED) gentoo-dev 2006-06-11 06:41:17 UTC
arches please test and report back if this is stable. as always: _don't_ commit to the tree!
Comment 9 Gustavo Zacarias (RETIRED) gentoo-dev 2006-06-12 06:50:35 UTC
Passing on to weeve, he's our kde mofo and i'm not quite yet feeling good anyway.
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2006-06-12 11:33:20 UTC
compiles and runs fine on PPC64, even though I'm not sure how to test if security issue is fixed... guess it just *is*.
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-12 23:31:20 UTC
Arche Sec Liaisons please note that public disclosure is tomorrow so we are in a bit of a hurry here.
Comment 12 Jason Wever (RETIRED) gentoo-dev 2006-06-13 08:29:46 UTC
Tomorrow as in 13 Jun 2006 or 14 Jun 2006?

/me doesn't know what timezone you are in.
Comment 13 Carsten Lohrke (RETIRED) gentoo-dev 2006-06-13 14:39:46 UTC
(In reply to comment #10)
> compiles and runs fine on PPC64, even though I'm not sure how to test if
> security issue is fixed... guess it just *is*.
> 

Formerly KDM was fine with reading ~/.dmrc - as long as it succeeded. A user could replace his ~/.dmrc with a symlink to another file to get e.g. the content of /etc/shadow. Looking at the code, this is not possible anymore, but you can still test of course. :)


(In reply to comment #12)
> Tomorrow as in 13 Jun 2006 or 14 Jun 2006?

14th 16:00 GMT
Comment 14 Jason Wever (RETIRED) gentoo-dev 2006-06-13 19:38:24 UTC
Looks good on SPARC.  I'm fine with it being keyworded.
Comment 15 Tobias Scherbaum (RETIRED) gentoo-dev 2006-06-14 04:51:57 UTC
Looks also good on ppc.
Comment 16 Carsten Lohrke (RETIRED) gentoo-dev 2006-06-14 11:48:26 UTC
Announcement is out, so the bug can be opened and arch teams cc'ed.


Committed 

kdm-3.4.3-r2
kdm-3.5.2-r1
kdebase-3.4.3-r2
kdebase-3.5.2-r2

with ppc and sparc stable. Other arch teams are asked to follow asap. Thanks. :)
Comment 17 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-14 12:00:25 UTC
Arches please test and mark stable asap.
Comment 18 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-06-14 12:19:06 UTC
*** Bug 136807 has been marked as a duplicate of this bug. ***
Comment 19 Carsten Lohrke (RETIRED) gentoo-dev 2006-06-14 14:30:27 UTC
Duh, I missed to commit the most important file - the patch. :( It's in cvs now.
Comment 20 Thomas Cort (RETIRED) gentoo-dev 2006-06-14 19:07:19 UTC
kdm-3.4.3-r2, kdm-3.5.2-r1, kdebase-3.4.3-r2, and kdebase-3.5.2-r2 stable on alpha and amd64. Sorry for the delay, this one required quite a bit of compiling ;)
Comment 21 Markus Rothe (RETIRED) gentoo-dev 2006-06-15 00:01:05 UTC
stable on ppc64
Comment 22 René Nussbaumer (RETIRED) gentoo-dev 2006-06-17 03:51:29 UTC
stable on hppa
Comment 23 Carsten Lohrke (RETIRED) gentoo-dev 2006-06-17 05:03:51 UTC
Didn't want to wait forever on second pair of eyes. Stable on x86.
Comment 24 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-17 06:19:43 UTC
Thx Carsten.

Ready for GLSA.

Security please review draft.
Comment 25 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-22 13:13:17 UTC
GLSA 200606-23

ia64,mips don't forget to mark stable to benifit from the GLSA.
Comment 26 Horst Prote 2006-06-23 02:19:33 UTC
In this bug report it says "fixed in kdm-3.5.2-r1" but in the GLSA it says "vulnerable < 3.5.2-r2" and "unaffected >= 3.5.2-r2". Since I can't find an kdm-3.5.2-r2 in my just synced portage tree, I think it's an typo in the GLSA.
Comment 27 Carsten Lohrke (RETIRED) gentoo-dev 2006-06-23 15:47:25 UTC
As Horst said, the GLSA isn't correct.
Comment 28 Stefan Cornelius (RETIRED) gentoo-dev 2006-06-24 07:41:01 UTC
Sorry for that, should be fixed in CVS now. Thanks for reporting this.