Bug 443768 (CVE-2008-1671)

Summary: CVE-2008-1671 kdelibs: multiple vulnerabilities in start_kdeinit
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: kevin, ltinkl, rdieter, security-response-team, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-28 07:47:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Upstream patch none

Description Tomas Hoger 2008-04-23 08:01:47 UTC 
Upcoming KDE security advisory:

Systems affected:
	start_kdeinit of KDE 3.x as of KDE 3.5.5 or newer. KDE 4.0
	and newer is not affected. Only Linux platform is affected.

Overview:
	start_kdeinit is a wrapper to launch kdeinit with a lower OOM
	score on Linux. This helper is used to ensure that a
	single KDE application triggering the Linux kernel OOM killer
	does not kill the whole KDE session. By default,
	start_kdeinit is installed as setuid root. The start_kdeinit
	processing of user-influenceable input is faulty.

Impact:
        If start_kdeinit is installed as setuid root, a local user
        might be able to send unix signals to other processes, cause
        a denial of service or even possibly execute arbitrary code.
Comment 1 Tomas Hoger 2008-04-23 08:02:42 UTC 
Created attachment 303448 [details]
Upstream patch
Comment 2 Tomas Hoger 2008-04-23 08:10:17 UTC 
This issue did not affect versions of kdelibs as shipped with Red Hat Enterprise
Linux 2.1, 3, 4, or 5, that do not ship start_kdeinit helper.

start_kdeinit is shipped in versions of KDE currently in Fedora 7 and 8, however
start_kdeinit is not installed as setuid root in Fedora, so Fedora kdelibs
packages are not affected by this problem.
Comment 3 Tomas Hoger 2008-04-28 07:38:09 UTC 
Public now, lifting embargo:

http://www.kde.org/info/security/advisory-20080426-2.txt
Comment 4 Tomas Hoger 2008-04-28 07:47:06 UTC 
Closing based on comment #2.
Comment 5 Kevin Kofler 2008-04-28 12:50:06 UTC 
I looked at this yesterday and I've come to the same conclusion, so I can 
confirm that Fedora is not affected.
Comment 6 Kevin Kofler 2008-04-28 12:51:33 UTC 
Oh, and start_kdeinit is also shipped in kdelibs3 in dist-f9, but is not 
installed setuid root there either => dist-f9 also unaffected.
Comment 7 Tomas Hoger 2008-04-28 13:01:56 UTC 
Kevin, thanks for review / confirmation!