Bug 166997

Summary: CAN-2005-2494 kcheckpass privilege escalation
Product: [Fedora] Fedora Reporter: Josh Bressers <bressers>
Component: kdebaseAssignee: Than Ngo <than>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: medium    
Version: 4CC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,reported=20050828,public=20050905,source=vendorsec
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-01 17:23:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2005-08-29 15:05:19 UTC 
+++ This bug was initially created as a clone of Bug #166995 +++

This text was scavanged from the KDE advisory:

KDE Security Advisory: kcheckpass local root vulnerability
Original Release Date: 2008-09-05
URL: http://www.kde.org/info/security/advisory-20050905-1.txt

0. References

        CAN-2005-FIXME

1. Systems affected:

        All KDE releases starting from KDE 3.2.0 up to including
        KDE 3.4.2.


2. Overview:

        Ilja van Sprundel from suresec.org notified the KDE
        security team about a serious lock file handling error
        in kcheckpass that can, in some configurations, be used
        to gain root access.

        In order for an exploit to succeed, the directory /var/lock
        has to be writeable for a user that is allowed to invoke
        kcheckpass.


3. Impact:

        A local user can escalate its privileges to the root user.
Comment 1 Josh Bressers 2005-08-29 15:06:06 UTC 
This issue also affects FC3
Comment 3 Josh Bressers 2005-08-29 15:38:06 UTC 
Please see the parent bug for the proposed patch.
Comment 4 Than Ngo 2005-09-01 17:23:07 UTC 
i have already committed the patch into CVS, it will be included in next 
kdebase update.
Comment 5 Mark J. Cox 2005-09-06 13:13:12 UTC 
Public via bugtraq, removing embargo -- note we don't ship anything with
/var/lock world writeable.
Comment 6 David Eisenstein 2006-02-06 02:07:39 UTC 
Note that although kdebase version 6:3.4.2-0.fc4.3 appears in the
changelog in the current FC4 kdebase version, which says it applies
the upstream patch, kdebase-3.4.2-0.fc3.4 was never issued by RedHat.

This issue was fixed in FC4 by the release of kdebase-3.5.0-0.1.fc4 on
2005-12-17 in the announcement FEDORA-2005-1152 <http://tinyurl.com/asdtn>.

This issue has not yet been fixed in FC3.  It also appears that the fix for
this was not checked into CVS for FC3.

See Bug #180057 for fixes of this issue for FC3 and FC2 via FedoraLegacy.