KDE Security Advisory: KDM Local Privilege Escalation Vulnerability
Original Release Date: 2010-04-13
1. Systems affected:
KDM as shipped with KDE SC 2.2.0 up to including KDE SC 4.4.2
KDM contains a race condition that allows local attackers to
make arbitrary files on the system world-writeable. This can
happen while KDM tries to create its control socket during
user login. This vulnerability has been discovered by
Sebastian Krahmer from the SUSE Security Team.
A local attacker with a valid local account can under
certain circumstances make use of this vulnerability to
execute arbitrary code as root.
Source code patches have been made available which fix these
vulnerabilities. Contact your OS vendor / binary package provider
for information about how to obtain updated binary packages.
A patch for KDE 4.3.x-4.4.x is available from
KDE, please provide a patched ebuild ASAP.
Fixed in kdm-4.3.5-r1, kdm-4.4.2-r2
(In reply to comment #2)
> Fixed in kdm-4.3.5-r1, kdm-4.4.2-r2
Note that HPPA refused to stabilize 4.3.5, so you ""need"" to maintain also 4.3.3 wrt http://bugs.gentoo.org/show_bug.cgi?id=300393#c7
Race condition in backend/ctrl.c in KDM in KDE Software Compilation
(SC) 2.2.0 through 4.4.2 allows local users to change the permissions
of arbitrary files, and consequently gain privileges, by blocking the
removal of a certain directory that contains a control socket,
related to improper interaction with ksm.
was there any reason we have been waiting for a over month now for someone to CC arch's for kdm-4.3.5-r1 stabilization?
are you still maintaining 4.3.3? we could use 4.3.3-r1 for hppa since they don't do newer versions and it's security supported arch (or is it?)
Local root exploit:
(In reply to comment #5)
> was there any reason we have been waiting for a over month now for someone to
> CC arch's for kdm-4.3.5-r1 stabilization?
No, sorry. Most of the team is inactive.
> are you still maintaining 4.3.3? we could use 4.3.3-r1 for hppa since they
> don't do newer versions and it's security supported arch (or is it?)
It is. KDE, what's your take on this?
Arches, please test and mark stable:
Target keywords : "amd64 hppa ppc ppc64 x86"
Marked ppc/ppc64 stable.
Whoops, only marked ppc, not ppc64, sorry for the noise.
Fixed in 4.4.4
ppc64, please test and mark stable as soon as possible:
KDE, please comment on comment #7 and at best provide a 4.3.3-r1 with the patch if possible
kdm-4.3.3 removed from tree
ready for glsa, I guess it should mention that hppa and ppc64 users should "emerge -C kdm"
glsa request filed.
CC us back if you need us again
This issue was resolved and addressed in
GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml
by GLSA coordinator Sean Amoss (ackle).