Bug 408811 (CVE-2007-5963)
Summary: | CVE-2007-5963 kdm: local DoS vulnerability | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED WONTFIX | QA Contact: | |||||||
Severity: | low | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | unspecified | CC: | bressers, john, security-response-team, than | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2010-03-08 07:41:24 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Tomas Hoger
2007-12-03 16:25:11 UTC
Created attachment 275841 [details]
Upstream patch
Created attachment 277201 [details] Upstream patch (2nd part) Problem can be triggered by user's login image file (~/.face or ~/.face.icon) or by user's preferred display manager configuration file (~/.dmrc). Patch in comment #1 only addresses second case, this patch addresses first one. Public now, lifting embargo: http://bugs.gentoo.org/show_bug.cgi?id=200856 Due to low impact of this issue, upstream is incorporating the fix to next upstream release, but will probably not release security advisory. At this time Red Hat does not intend to address this flaw in a future update. If the status of this flaw changes, this bug report shall be updated accordingly. Someone on an IRC channel just said this, and then while searching found this bug, but did not wish to post, so i’m quoting them without editing: 23:43 <user> oh wow. i just had a linux moment 23:43 <user> kdm, by default, searches for every user and looks in their home directory for a .face.icon 23:43 <user> so here in my enterprise environment, that means it searches ldap for every account, and tries to open a file in their home directory... causing every home mount point to be mounted 23:45 <user> stupid thing is, my kdm login theme does not have the userlist in it. I am surprised this was WONTFIXed, if it still exhibits a behaviour this detrimental. |