Red Hat Bugzilla – Bug 166997
CAN-2005-2494 kcheckpass privilege escalation
Last modified: 2007-11-30 17:11:12 EST
+++ This bug was initially created as a clone of Bug #166995 +++
This text was scavanged from the KDE advisory:
KDE Security Advisory: kcheckpass local root vulnerability
Original Release Date: 2008-09-05
1. Systems affected:
All KDE releases starting from KDE 3.2.0 up to including
Ilja van Sprundel from suresec.org notified the KDE
security team about a serious lock file handling error
in kcheckpass that can, in some configurations, be used
to gain root access.
In order for an exploit to succeed, the directory /var/lock
has to be writeable for a user that is allowed to invoke
A local user can escalate its privileges to the root user.
This issue also affects FC3
Please see the parent bug for the proposed patch.
i have already committed the patch into CVS, it will be included in next
Public via bugtraq, removing embargo -- note we don't ship anything with
/var/lock world writeable.
Note that although kdebase version 6:3.4.2-0.fc4.3 appears in the
changelog in the current FC4 kdebase version, which says it applies
the upstream patch, kdebase-3.4.2-0.fc3.4 was never issued by RedHat.
This issue was fixed in FC4 by the release of kdebase-3.5.0-0.1.fc4 on
2005-12-17 in the announcement FEDORA-2005-1152 <http://tinyurl.com/asdtn>.
This issue has not yet been fixed in FC3. It also appears that the fix for
this was not checked into CVS for FC3.
See Bug #180057 for fixes of this issue for FC3 and FC2 via FedoraLegacy.