+++ This bug was initially created as a clone of Bug #166995 +++ This text was scavanged from the KDE advisory: KDE Security Advisory: kcheckpass local root vulnerability Original Release Date: 2008-09-05 URL: http://www.kde.org/info/security/advisory-20050905-1.txt 0. References CAN-2005-FIXME 1. Systems affected: All KDE releases starting from KDE 3.2.0 up to including KDE 3.4.2. 2. Overview: Ilja van Sprundel from suresec.org notified the KDE security team about a serious lock file handling error in kcheckpass that can, in some configurations, be used to gain root access. In order for an exploit to succeed, the directory /var/lock has to be writeable for a user that is allowed to invoke kcheckpass. 3. Impact: A local user can escalate its privileges to the root user.
This issue also affects FC3
Please see the parent bug for the proposed patch.
i have already committed the patch into CVS, it will be included in next kdebase update.
Public via bugtraq, removing embargo -- note we don't ship anything with /var/lock world writeable.
Note that although kdebase version 6:3.4.2-0.fc4.3 appears in the changelog in the current FC4 kdebase version, which says it applies the upstream patch, kdebase-3.4.2-0.fc3.4 was never issued by RedHat. This issue was fixed in FC4 by the release of kdebase-3.5.0-0.1.fc4 on 2005-12-17 in the announcement FEDORA-2005-1152 <http://tinyurl.com/asdtn>. This issue has not yet been fixed in FC3. It also appears that the fix for this was not checked into CVS for FC3. See Bug #180057 for fixes of this issue for FC3 and FC2 via FedoraLegacy.