Bug 408811 (CVE-2007-5963)

Summary: CVE-2007-5963 kdm: local DoS vulnerability
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bressers, john, security-response-team, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-08 07:41:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Upstream patch
none
Upstream patch (2nd part) none

Description Tomas Hoger 2007-12-03 16:25:11 UTC 
KDE Security Team provided us with following draft or their security advisory:

KDE Security Advisory: KDM Denial of Service Vulnerability
Original Release Date: 2007-12-XX
URL: http://www.kde.org/info/security/advisory-200712XX-1.txt

0. References
        CVE-FIXME


1. Systems affected:

	KDM as shipped with KDE 3.2.0 up to including 3.5.8.


2. Overview:

	KDM can be tricked into hanging or eating memory by reading from
	special files (pipes or symlinks to devices), big or sparse files
	created in the users home directory.

	A regular user with a valid account is able to prepare his home
	directory in a way that will make login via KDM impossible for
	any user if KDM's user list display is enabled and users are
	permitted to add their own images. Given that the account can be
	identified easily, this issue is only sensitive for high
	security environments.

3. Impact:

	A regular user with a valid account is able to make login via KDM
	impossible. A regular user can also cause KDM to exceed the
	system resource limits.

3a. Workaround:

	The login DoS can be worked around by either disabling the user list
	feature entirely (UserList=false in kdmrc) or displaying only
	administratively assigned images (FaceSource=AdminOnly).

	The memory consumption issue can be worked around by setting an
	appropriate resource limit on KDM itself. Note that this affects 
	local X servers as well.

4. Solution:

        Source code patches have been made available which fix these
        vulnerabilities. Contact your OS vendor / binary package provider
        for information about how to obtain updated binary packages.


5. Patch:

        A patch for KDE 3.3.0 - KDE 3.5.7 is available from
        ftp://ftp.kde.org/pub/kde/security_patches :

        205b2928f5a3b6f68527f33c05f56fb4  post-3.5.8-kdebase-kdm.diff
Comment 1 Tomas Hoger 2007-12-03 16:28:39 UTC 
Created attachment 275841 [details]
Upstream patch
Comment 5 Tomas Hoger 2007-12-04 17:50:31 UTC 
Created attachment 277201 [details]
Upstream patch (2nd part)

Problem can be triggered by user's login image file (~/.face or ~/.face.icon)
or by user's preferred display manager configuration file (~/.dmrc).  Patch in
comment #1 only addresses second case, this patch addresses first one.
Comment 7 Tomas Hoger 2007-12-17 17:22:46 UTC 
Public now, lifting embargo:

http://bugs.gentoo.org/show_bug.cgi?id=200856

Due to low impact of this issue, upstream is incorporating the fix to next
upstream release, but will probably not release security advisory.
Comment 9 Josh Bressers 2010-03-05 16:12:36 UTC 
At this time Red Hat does not intend to address this flaw in a future update. If the status of this flaw changes, this bug report shall be updated accordingly.
Comment 10 John Drinkwater 2013-04-16 22:59:28 UTC 
Someone on an IRC channel just said this, and then while searching found this bug, but did not wish to post, so i’m quoting them without editing:

23:43 <user> oh wow. i just had a linux moment
23:43 <user> kdm, by default, searches for every user and looks in their home directory for a .face.icon
23:43 <user> so here in my enterprise environment, that means it searches ldap for every account, and tries to open a file in their home directory... causing every home mount point to be mounted
23:45 <user> stupid thing is, my kdm login theme does not have the userlist in it.

I am surprised this was WONTFIXed, if it still exhibits a behaviour this detrimental.