Bug 166997 - CAN-2005-2494 kcheckpass privilege escalation
CAN-2005-2494 kcheckpass privilege escalation
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: kdebase (Show other bugs)
4
All Linux
medium Severity low
: ---
: ---
Assigned To: Ngo Than
Ben Levenson
impact=low,reported=20050828,public=2...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-29 11:05 EDT by Josh Bressers
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-01 13:23:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2005-08-29 11:05:19 EDT
+++ This bug was initially created as a clone of Bug #166995 +++

This text was scavanged from the KDE advisory:

KDE Security Advisory: kcheckpass local root vulnerability
Original Release Date: 2008-09-05
URL: http://www.kde.org/info/security/advisory-20050905-1.txt

0. References

        CAN-2005-FIXME

1. Systems affected:

        All KDE releases starting from KDE 3.2.0 up to including
        KDE 3.4.2.


2. Overview:

        Ilja van Sprundel from suresec.org notified the KDE
        security team about a serious lock file handling error
        in kcheckpass that can, in some configurations, be used
        to gain root access.

        In order for an exploit to succeed, the directory /var/lock
        has to be writeable for a user that is allowed to invoke
        kcheckpass.


3. Impact:

        A local user can escalate its privileges to the root user.
Comment 1 Josh Bressers 2005-08-29 11:06:06 EDT
This issue also affects FC3
Comment 3 Josh Bressers 2005-08-29 11:38:06 EDT
Please see the parent bug for the proposed patch.
Comment 4 Ngo Than 2005-09-01 13:23:07 EDT
i have already committed the patch into CVS, it will be included in next 
kdebase update. 
Comment 5 Mark J. Cox (Product Security) 2005-09-06 09:13:12 EDT
Public via bugtraq, removing embargo -- note we don't ship anything with
/var/lock world writeable.
Comment 6 David Eisenstein 2006-02-05 21:07:39 EST
Note that although kdebase version 6:3.4.2-0.fc4.3 appears in the
changelog in the current FC4 kdebase version, which says it applies
the upstream patch, kdebase-3.4.2-0.fc3.4 was never issued by RedHat.

This issue was fixed in FC4 by the release of kdebase-3.5.0-0.1.fc4 on
2005-12-17 in the announcement FEDORA-2005-1152 <http://tinyurl.com/asdtn>.

This issue has not yet been fixed in FC3.  It also appears that the fix for
this was not checked into CVS for FC3.

See Bug #180057 for fixes of this issue for FC3 and FC2 via FedoraLegacy.

Note You need to log in before you can comment on or make changes to this bug.