KDE Security Team provided us with following draft or their security advisory:
KDE Security Advisory: KDM Denial of Service Vulnerability
Original Release Date: 2007-12-XX
1. Systems affected:
KDM as shipped with KDE 3.2.0 up to including 3.5.8.
KDM can be tricked into hanging or eating memory by reading from
special files (pipes or symlinks to devices), big or sparse files
created in the users home directory.
A regular user with a valid account is able to prepare his home
directory in a way that will make login via KDM impossible for
any user if KDM's user list display is enabled and users are
permitted to add their own images. Given that the account can be
identified easily, this issue is only sensitive for high
A regular user with a valid account is able to make login via KDM
impossible. A regular user can also cause KDM to exceed the
system resource limits.
The login DoS can be worked around by either disabling the user list
feature entirely (UserList=false in kdmrc) or displaying only
administratively assigned images (FaceSource=AdminOnly).
The memory consumption issue can be worked around by setting an
appropriate resource limit on KDM itself. Note that this affects
local X servers as well.
Source code patches have been made available which fix these
vulnerabilities. Contact your OS vendor / binary package provider
for information about how to obtain updated binary packages.
A patch for KDE 3.3.0 - KDE 3.5.7 is available from
Created attachment 275841 [details]
Created attachment 277201 [details]
Upstream patch (2nd part)
Problem can be triggered by user's login image file (~/.face or ~/.face.icon)
or by user's preferred display manager configuration file (~/.dmrc). Patch in
comment #1 only addresses second case, this patch addresses first one.
Public now, lifting embargo:
Due to low impact of this issue, upstream is incorporating the fix to next
upstream release, but will probably not release security advisory.
At this time Red Hat does not intend to address this flaw in a future update. If the status of this flaw changes, this bug report shall be updated accordingly.
Someone on an IRC channel just said this, and then while searching found this bug, but did not wish to post, so i’m quoting them without editing:
23:43 <user> oh wow. i just had a linux moment
23:43 <user> kdm, by default, searches for every user and looks in their home directory for a .face.icon
23:43 <user> so here in my enterprise environment, that means it searches ldap for every account, and tries to open a file in their home directory... causing every home mount point to be mounted
23:45 <user> stupid thing is, my kdm login theme does not have the userlist in it.
I am surprised this was WONTFIXed, if it still exhibits a behaviour this detrimental.