Please note that this issue is under embargo until 2008-04-25. *Do not commit* anything to CVS and keep any information confidential until that date. Advisory Draft 1. Systems affected: start_kdeinit of KDE 3.x as of KDE 3.5.5 or newer. KDE 4.0 and newer is not affected. Only Linux platform is affected. 2. Overview: start_kdeinit is a wrapper to launch kdeinit with a lower OOM score on Linux. This helper is used to ensure that a single KDE application triggering the Linux kernel OOM killer does not kill the whole KDE session. By default, start_kdeinit is installed as setuid root. The start_kdeinit processing of user-influenceable input is faulty. 3. Impact: If start_kdeinit is installed as setuid root, a local user might be able to send unix signals to other processes, cause a denial of service or even possibly execute arbitrary code.
Created attachment 150638 [details, diff] patch for KDE 3.5.5 - KDE 3.5.9
Please prepare an ebuild with the patch and put it up here so we can call the arch security liaisons to test it. Do not commit anything to CVS before this has been made public.
Created attachment 150693 [details] kde-base/kdelibs/kdelibs-3.5.8-r4.ebuild Ebuild attached, the patch posted earlier goes in as files/kdelibs-3.5.8-kinit-CVE-FIXME.patch The 3.5.9 ebuilds will get the same treatement, when I'm allowed to commit.
Use CVE-2008-1671 when committing then. Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 hppa ia64 ppc ppc64 release sparc x86" CC'ing current Liaisons: alpha : ferdy amd64 : welp hppa : jer ppc : dertobi123 ppc64 : corsair release : pva sparc : fmccor x86 : opfer
That's OK for HPPA.
Looks okay on alpha/ia64/sparc/x86
looks good on ppc64
good to go on ppc
As asked for by welp I've tested on amd64 on which it's fine, too.
This is public via $URL. KDE, please commit to the tree straight to stable for the arches that reported back. Thanks, everyone.
I am well aware I am no member of the KDE project, but since it's a right mess at the moment I have committed Ye Ebuilde And Patche to the tree. # ChangeLog for kde-base/kdelibs # Copyright 2002-2008 Gentoo Foundation; Distributed under the GPL v2 # $Header: /var/cvsroot/gentoo-x86/kde-base/kdelibs/ChangeLog,v 1.523 2008/04/28 12:32:23 jer Exp $ *kdelibs-3.5.8-r4 (28 Apr 2008) 28 Apr 2008; Jeroen Roovers <jer@gentoo.org> +files/kdelibs-3.5.8-kinit-CVE-2008-1671.patch, +kdelibs-3.5.8-r4.ebuild: Straight to stable (bug #218933).
(In reply to comment #11) > I am well aware I am no member of the KDE project, but since it's a right mess > at the moment I have committed Ye Ebuilde And Patche to the tree. I was out during the weekend, had Wulf not been retired today, he would've committed what I posted in #c3 first thing in the morning. ~arch done too.
Fixed in release snapshot.
GLSA 200804-30 thanks everyone