Bug 408811 (CVE-2007-5963) - CVE-2007-5963 kdm: local DoS vulnerability
Summary: CVE-2007-5963 kdm: local DoS vulnerability
Alias: CVE-2007-5963
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: source=vendorsec,reported=20071130,pu...
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2007-12-03 16:25 UTC by Tomas Hoger
Modified: 2013-04-16 22:59 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-03-08 07:41:24 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Upstream patch (921 bytes, patch)
2007-12-03 16:28 UTC, Tomas Hoger
no flags Details | Diff
Upstream patch (2nd part) (2.20 KB, patch)
2007-12-04 17:50 UTC, Tomas Hoger
no flags Details | Diff

Description Tomas Hoger 2007-12-03 16:25:11 UTC
KDE Security Team provided us with following draft or their security advisory:

KDE Security Advisory: KDM Denial of Service Vulnerability
Original Release Date: 2007-12-XX
URL: http://www.kde.org/info/security/advisory-200712XX-1.txt

0. References

1. Systems affected:

	KDM as shipped with KDE 3.2.0 up to including 3.5.8.

2. Overview:

	KDM can be tricked into hanging or eating memory by reading from
	special files (pipes or symlinks to devices), big or sparse files
	created in the users home directory.

	A regular user with a valid account is able to prepare his home
	directory in a way that will make login via KDM impossible for
	any user if KDM's user list display is enabled and users are
	permitted to add their own images. Given that the account can be
	identified easily, this issue is only sensitive for high
	security environments.

3. Impact:

	A regular user with a valid account is able to make login via KDM
	impossible. A regular user can also cause KDM to exceed the
	system resource limits.

3a. Workaround:

	The login DoS can be worked around by either disabling the user list
	feature entirely (UserList=false in kdmrc) or displaying only
	administratively assigned images (FaceSource=AdminOnly).

	The memory consumption issue can be worked around by setting an
	appropriate resource limit on KDM itself. Note that this affects 
	local X servers as well.

4. Solution:

        Source code patches have been made available which fix these
        vulnerabilities. Contact your OS vendor / binary package provider
        for information about how to obtain updated binary packages.

5. Patch:

        A patch for KDE 3.3.0 - KDE 3.5.7 is available from
        ftp://ftp.kde.org/pub/kde/security_patches :

        205b2928f5a3b6f68527f33c05f56fb4  post-3.5.8-kdebase-kdm.diff

Comment 1 Tomas Hoger 2007-12-03 16:28:39 UTC
Created attachment 275841 [details]
Upstream patch

Comment 5 Tomas Hoger 2007-12-04 17:50:31 UTC
Created attachment 277201 [details]
Upstream patch (2nd part)

Problem can be triggered by user's login image file (~/.face or ~/.face.icon)
or by user's preferred display manager configuration file (~/.dmrc).  Patch in
comment #1 only addresses second case, this patch addresses first one.

Comment 7 Tomas Hoger 2007-12-17 17:22:46 UTC
Public now, lifting embargo:


Due to low impact of this issue, upstream is incorporating the fix to next
upstream release, but will probably not release security advisory.

Comment 9 Josh Bressers 2010-03-05 16:12:36 UTC
At this time Red Hat does not intend to address this flaw in a future update. If the status of this flaw changes, this bug report shall be updated accordingly.

Comment 10 John Drinkwater 2013-04-16 22:59:28 UTC
Someone on an IRC channel just said this, and then while searching found this bug, but did not wish to post, so i’m quoting them without editing:

23:43 <user> oh wow. i just had a linux moment
23:43 <user> kdm, by default, searches for every user and looks in their home directory for a .face.icon
23:43 <user> so here in my enterprise environment, that means it searches ldap for every account, and tries to open a file in their home directory... causing every home mount point to be mounted
23:45 <user> stupid thing is, my kdm login theme does not have the userlist in it.

I am surprised this was WONTFIXed, if it still exhibits a behaviour this detrimental.

Note You need to log in before you can comment on or make changes to this bug.