KDE Security Team provided us with following draft or their security advisory: KDE Security Advisory: KDM Denial of Service Vulnerability Original Release Date: 2007-12-XX URL: http://www.kde.org/info/security/advisory-200712XX-1.txt 0. References CVE-FIXME 1. Systems affected: KDM as shipped with KDE 3.2.0 up to including 3.5.8. 2. Overview: KDM can be tricked into hanging or eating memory by reading from special files (pipes or symlinks to devices), big or sparse files created in the users home directory. A regular user with a valid account is able to prepare his home directory in a way that will make login via KDM impossible for any user if KDM's user list display is enabled and users are permitted to add their own images. Given that the account can be identified easily, this issue is only sensitive for high security environments. 3. Impact: A regular user with a valid account is able to make login via KDM impossible. A regular user can also cause KDM to exceed the system resource limits. 3a. Workaround: The login DoS can be worked around by either disabling the user list feature entirely (UserList=false in kdmrc) or displaying only administratively assigned images (FaceSource=AdminOnly). The memory consumption issue can be worked around by setting an appropriate resource limit on KDM itself. Note that this affects local X servers as well. 4. Solution: Source code patches have been made available which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages. 5. Patch: A patch for KDE 3.3.0 - KDE 3.5.7 is available from ftp://ftp.kde.org/pub/kde/security_patches : 205b2928f5a3b6f68527f33c05f56fb4 post-3.5.8-kdebase-kdm.diff
Created attachment 275841 [details] Upstream patch
Created attachment 277201 [details] Upstream patch (2nd part) Problem can be triggered by user's login image file (~/.face or ~/.face.icon) or by user's preferred display manager configuration file (~/.dmrc). Patch in comment #1 only addresses second case, this patch addresses first one.
Public now, lifting embargo: http://bugs.gentoo.org/show_bug.cgi?id=200856 Due to low impact of this issue, upstream is incorporating the fix to next upstream release, but will probably not release security advisory.
At this time Red Hat does not intend to address this flaw in a future update. If the status of this flaw changes, this bug report shall be updated accordingly.
Someone on an IRC channel just said this, and then while searching found this bug, but did not wish to post, so iām quoting them without editing: 23:43 <user> oh wow. i just had a linux moment 23:43 <user> kdm, by default, searches for every user and looks in their home directory for a .face.icon 23:43 <user> so here in my enterprise environment, that means it searches ldap for every account, and tries to open a file in their home directory... causing every home mount point to be mounted 23:45 <user> stupid thing is, my kdm login theme does not have the userlist in it. I am surprised this was WONTFIXed, if it still exhibits a behaviour this detrimental.