Bug 570613 (CVE-2010-0436)

Summary: CVE-2010-0436 kdm privilege escalation flaw
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jreznik, mshao, security-response-team, than, vdanen, ycui
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-25 09:55:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 570620, 570621, 570622, 570624, 570625    
Bug Blocks:    
Attachments:
Description Flags
Current proposed patch from upstream
none
latest patch provided by upstream
none
Initial upstream patch [1/2]
none
Initial upstream patch [2/2] none

Description Josh Bressers 2010-03-04 21:05:29 UTC 
Sebastian Krahmer from the SUSE security team discovered a privilege escalation flaw in the KDE Display Manager (kdm).

kdm uses a user owned directory to store a command socket. If the local user can prevent this directory from being removed, they can create a race condition with ksm that could result in setting an arbitrary file on the filesystem to have word writable permissions.

A local user with access to a console running kdm could use this flaw to gain superuser access.
Comment 2 Josh Bressers 2010-03-04 21:21:44 UTC 
Created attachment 397924 [details]
Current proposed patch from upstream

I'm not 100% sure this will be the final patch. I'll be sure to upload a new patch as soon as I hear more from upstream.
Comment 8 Vincent Danen 2010-03-15 15:39:01 UTC 
Created attachment 400244 [details]
latest patch provided by upstream

This is the latest patch as provided to vendors.  I'd like to say it obsoletes the previous patch, but I'm not 100% sure that it does because it's quite different.
Comment 9 Tomas Hoger 2010-03-19 10:31:48 UTC 
Created attachment 401213 [details]
Initial upstream patch [1/2]

The idea of patch in comment #2 seems to have been abandoned and the fix in comment #8 is heading the same direction as the initially proposed patch - instead of chowning directory (/var/run/xdmctl/dmctl-$DISPLAY), it rather chowns socket (/var/run/xdmctl/dmctl-$DISPLAY/socket).

As some systems reportedly do not honour file permissions on socket files, the patch in comment #8 adds extra fallback mechanism for those systems, while initial patch only caused configure to fail on such systems.

I'm attaching initial upstream patch, as it does not have that extra fallback not needed on Linux and that won't be compiled in anyway.  This should be a better starting point for our backports.
Comment 10 Tomas Hoger 2010-03-19 10:32:19 UTC 
Created attachment 401214 [details]
Initial upstream patch [2/2]
Comment 13 Tomas Hoger 2010-03-19 11:02:37 UTC 
Acknowledgements:

Red Hat would like to thank Sebastian Krahmer of SuSE Security Team for responsibly reporting this issue.
Comment 24 Tomas Hoger 2010-04-13 15:23:15 UTC 
Public now via:
  http://www.kde.org/info/security/advisory-20100413-1.txt
Comment 25 errata-xmlrpc 2010-04-14 10:08:42 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2010:0348 https://rhn.redhat.com/errata/RHSA-2010-0348.html
Comment 26 Fedora Update System 2010-04-15 15:08:24 UTC 
kdebase-workspace-4.4.2-5.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/kdebase-workspace-4.4.2-5.fc13
Comment 27 Fedora Update System 2010-04-15 15:14:39 UTC 
kdeaccessibility-4.4.2-1.fc11,kdeadmin-4.4.2-1.fc11,kdeartwork-4.4.2-1.fc11,kdebase-4.4.2-1.fc11,kdebase-runtime-4.4.2-1.fc11,kdebase-workspace-4.4.2-5.fc11,kdebindings-4.4.2-1.fc11,kdeedu-4.4.2-1.fc11,kdegames-4.4.2-1.fc11,kdegraphics-4.4.2-3.fc11,kdelibs-4.4.2-2.fc11,kdemultimedia-4.4.2-2.fc11,kdenetwork-4.4.2-1.fc11,kdepim-4.4.2-1.fc11,kdepim-runtime-4.4.2-1.fc11,kdepimlibs-4.4.2-1.fc11,kdeplasma-addons-4.4.2-1.fc11,kdesdk-4.4.2-1.fc11,kdetoys-4.4.2-1.fc11,kdeutils-4.4.2-1.fc11.1,oxygen-icon-theme-4.4.2-1.fc11,sip-4.10.1-2.fc11,PyQt4-4.7.2-2.fc11,konq-plugins-4.4.0-3.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kdeaccessibility-4.4.2-1.fc11,kdeadmin-4.4.2-1.fc11,kdeartwork-4.4.2-1.fc11,kdebase-4.4.2-1.fc11,kdebase-runtime-4.4.2-1.fc11,kdebase-workspace-4.4.2-5.fc11,kdebindings-4.4.2-1.fc11,kdeedu-4.4.2-1.fc11,kdegames-4.4.2-1.fc11,kdegraphics-4.4.2-3.fc11,kdelibs-4.4.2-2.fc11,kdemultimedia-4.4.2-2.fc11,kdenetwork-4.4.2-1.fc11,kdepim-4.4.2-1.fc11,kdepim-runtime-4.4.2-1.fc11,kdepimlibs-4.4.2-1.fc11,kdeplasma-addons-4.4.2-1.fc11,kdesdk-4.4.2-1.fc11,kdetoys-4.4.2-1.fc11,kdeutils-4.4.2-1.fc11.1,oxygen-icon-theme-4.4.2-1.fc11,sip-4.10.1-2.fc11,PyQt4-4.7.2-2.fc11,konq-plugins-4.4.0-3.fc11
Comment 28 Fedora Update System 2010-04-15 15:17:37 UTC 
kdeaccessibility-4.4.2-1.fc12,kdeadmin-4.4.2-1.fc12,kdeartwork-4.4.2-1.fc12,kdebase-4.4.2-1.fc12,kdebase-runtime-4.4.2-1.fc12,kdebase-workspace-4.4.2-5.fc12,kdebindings-4.4.2-1.fc12,kdeedu-4.4.2-1.fc12,kdegames-4.4.2-1.fc12,kdegraphics-4.4.2-3.fc12,kdelibs-4.4.2-2.fc12,kdemultimedia-4.4.2-2.fc12,kdenetwork-4.4.2-1.fc12,kdepim-4.4.2-1.fc12,kdepim-runtime-4.4.2-1.fc12,kdepimlibs-4.4.2-1.fc12,kdeplasma-addons-4.4.2-1.fc12,kdesdk-4.4.2-1.fc12,kdetoys-4.4.2-1.fc12,kdeutils-4.4.2-1.fc12,oxygen-icon-theme-4.4.2-1.fc12,sip-4.10.1-2.fc12,PyQt4-4.7.2-2.fc12,konq-plugins-4.4.0-3.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/kdeaccessibility-4.4.2-1.fc12,kdeadmin-4.4.2-1.fc12,kdeartwork-4.4.2-1.fc12,kdebase-4.4.2-1.fc12,kdebase-runtime-4.4.2-1.fc12,kdebase-workspace-4.4.2-5.fc12,kdebindings-4.4.2-1.fc12,kdeedu-4.4.2-1.fc12,kdegames-4.4.2-1.fc12,kdegraphics-4.4.2-3.fc12,kdelibs-4.4.2-2.fc12,kdemultimedia-4.4.2-2.fc12,kdenetwork-4.4.2-1.fc12,kdepim-4.4.2-1.fc12,kdepim-runtime-4.4.2-1.fc12,kdepimlibs-4.4.2-1.fc12,kdeplasma-addons-4.4.2-1.fc12,kdesdk-4.4.2-1.fc12,kdetoys-4.4.2-1.fc12,kdeutils-4.4.2-1.fc12,oxygen-icon-theme-4.4.2-1.fc12,sip-4.10.1-2.fc12,PyQt4-4.7.2-2.fc12,konq-plugins-4.4.0-3.fc12
Comment 29 Fedora Update System 2010-04-16 23:33:02 UTC 
kdeaccessibility-4.4.2-1.fc12, kdeadmin-4.4.2-1.fc12, kdeartwork-4.4.2-1.fc12, kdebase-4.4.2-1.fc12, kdebase-runtime-4.4.2-1.fc12, kdebindings-4.4.2-1.fc12, kdeedu-4.4.2-1.fc12, kdegames-4.4.2-1.fc12, kdegraphics-4.4.2-3.fc12, kdemultimedia-4.4.2-2.fc12, kdenetwork-4.4.2-1.fc12, kdepim-4.4.2-1.fc12, kdepim-runtime-4.4.2-1.fc12, kdepimlibs-4.4.2-1.fc12, kdeplasma-addons-4.4.2-1.fc12, kdesdk-4.4.2-1.fc12, kdetoys-4.4.2-1.fc12, kdeutils-4.4.2-1.fc12, oxygen-icon-theme-4.4.2-1.fc12, sip-4.10.1-2.fc12, PyQt4-4.7.2-2.fc12, konq-plugins-4.4.0-3.fc12, kdebase-workspace-4.4.2-5.fc12, kdelibs-4.4.2-2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 30 Fedora Update System 2010-04-16 23:43:17 UTC 
kdebase-workspace-4.4.2-5.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 31 Fedora Update System 2010-04-16 23:52:21 UTC 
kdeaccessibility-4.4.2-1.fc11, kdeadmin-4.4.2-1.fc11, kdeartwork-4.4.2-1.fc11, kdebase-4.4.2-1.fc11, kdebase-runtime-4.4.2-1.fc11, kdebindings-4.4.2-1.fc11, kdeedu-4.4.2-1.fc11, kdegames-4.4.2-1.fc11, kdegraphics-4.4.2-3.fc11, kdemultimedia-4.4.2-2.fc11, kdenetwork-4.4.2-1.fc11, kdepim-4.4.2-1.fc11, kdepim-runtime-4.4.2-1.fc11, kdepimlibs-4.4.2-1.fc11, kdeplasma-addons-4.4.2-1.fc11, kdesdk-4.4.2-1.fc11, kdetoys-4.4.2-1.fc11, kdeutils-4.4.2-1.fc11.1, oxygen-icon-theme-4.4.2-1.fc11, sip-4.10.1-2.fc11, PyQt4-4.7.2-2.fc11, konq-plugins-4.4.0-3.fc11, kdebase-workspace-4.4.2-5.fc11, kdelibs-4.4.2-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.