Gentoo Logo

kdebase: KDM vulnerabilities

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200311-01 / kdebase
Release Date November 15, 2003
Latest Revision November 15, 2003: 01
Impact normal
Exploitable local / remote
Package Vulnerable versions Unaffected versions Architecture(s)
kde-base/kdebase <= 3.1.3 >= 3.1.4 All supported architectures

Related bugreports: #29406

Synopsis

A bug in KDM can allow privilege escalation with certain configurations of PAM modules.

2.  Impact Information

Background

KDM is the desktop manager included with the K Desktop Environment.

Description

Firstly, versions of KDM <=3.1.3 are vulnerable to a privilege escalation bug with a specific configuration of PAM modules. Users who do not use PAM with KDM and users who use PAM with regular Unix crypt/MD5 based authentication methods are not affected.

Secondly, KDM uses a weak cookie generation algorithm. Users are advised to upgrade to KDE 3.1.4, which uses /dev/urandom as a non-predictable source of entropy to improve security.

Impact

A remote or local attacker could gain root privileges.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

It is recommended that all Gentoo Linux users who are running kde-base/kdebase <=3.1.3 upgrade:

Code Listing 3.1: Resolution

# emerge sync
# emerge -pv '>=kde-base/kde-3.1.4'
# emerge '>=kde-base/kde-3.1.4'
# emerge clean

4.  References

Print

Page updated November 15, 2003

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.