Bug 570613 (CVE-2010-0436) - CVE-2010-0436 kdm privilege escalation flaw
Summary: CVE-2010-0436 kdm privilege escalation flaw
Alias: CVE-2010-0436
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
: 570026 (view as bug list)
Depends On: 570620 570621 570622 570624 570625
TreeView+ depends on / blocked
Reported: 2010-03-04 21:05 UTC by Josh Bressers
Modified: 2023-05-13 00:40 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-06-25 09:55:07 UTC

Attachments (Terms of Use)
Current proposed patch from upstream (5.02 KB, patch)
2010-03-04 21:21 UTC, Josh Bressers
no flags Details | Diff
latest patch provided by upstream (7.01 KB, patch)
2010-03-15 15:39 UTC, Vincent Danen
no flags Details | Diff
Initial upstream patch [1/2] (1.36 KB, patch)
2010-03-19 10:31 UTC, Tomas Hoger
no flags Details | Diff
Initial upstream patch [2/2] (3.67 KB, patch)
2010-03-19 10:32 UTC, Tomas Hoger
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0348 0 normal SHIPPED_LIVE Important: kdebase security update 2010-04-14 10:15:02 UTC

Description Josh Bressers 2010-03-04 21:05:29 UTC
Sebastian Krahmer from the SUSE security team discovered a privilege escalation flaw in the KDE Display Manager (kdm).

kdm uses a user owned directory to store a command socket. If the local user can prevent this directory from being removed, they can create a race condition with ksm that could result in setting an arbitrary file on the filesystem to have word writable permissions.

A local user with access to a console running kdm could use this flaw to gain superuser access.

Comment 2 Josh Bressers 2010-03-04 21:21:44 UTC
Created attachment 397924 [details]
Current proposed patch from upstream

I'm not 100% sure this will be the final patch. I'll be sure to upload a new patch as soon as I hear more from upstream.

Comment 8 Vincent Danen 2010-03-15 15:39:01 UTC
Created attachment 400244 [details]
latest patch provided by upstream

This is the latest patch as provided to vendors.  I'd like to say it obsoletes the previous patch, but I'm not 100% sure that it does because it's quite different.

Comment 9 Tomas Hoger 2010-03-19 10:31:48 UTC
Created attachment 401213 [details]
Initial upstream patch [1/2]

The idea of patch in comment #2 seems to have been abandoned and the fix in comment #8 is heading the same direction as the initially proposed patch - instead of chowning directory (/var/run/xdmctl/dmctl-$DISPLAY), it rather chowns socket (/var/run/xdmctl/dmctl-$DISPLAY/socket).

As some systems reportedly do not honour file permissions on socket files, the patch in comment #8 adds extra fallback mechanism for those systems, while initial patch only caused configure to fail on such systems.

I'm attaching initial upstream patch, as it does not have that extra fallback not needed on Linux and that won't be compiled in anyway.  This should be a better starting point for our backports.

Comment 10 Tomas Hoger 2010-03-19 10:32:19 UTC
Created attachment 401214 [details]
Initial upstream patch [2/2]

Comment 13 Tomas Hoger 2010-03-19 11:02:37 UTC

Red Hat would like to thank Sebastian Krahmer of SuSE Security Team for responsibly reporting this issue.

Comment 24 Tomas Hoger 2010-04-13 15:23:15 UTC
Public now via:

Comment 25 errata-xmlrpc 2010-04-14 10:08:42 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2010:0348 https://rhn.redhat.com/errata/RHSA-2010-0348.html

Comment 26 Fedora Update System 2010-04-15 15:08:24 UTC
kdebase-workspace-4.4.2-5.fc13 has been submitted as an update for Fedora 13.

Comment 27 Fedora Update System 2010-04-15 15:14:39 UTC
kdeaccessibility-4.4.2-1.fc11,kdeadmin-4.4.2-1.fc11,kdeartwork-4.4.2-1.fc11,kdebase-4.4.2-1.fc11,kdebase-runtime-4.4.2-1.fc11,kdebase-workspace-4.4.2-5.fc11,kdebindings-4.4.2-1.fc11,kdeedu-4.4.2-1.fc11,kdegames-4.4.2-1.fc11,kdegraphics-4.4.2-3.fc11,kdelibs-4.4.2-2.fc11,kdemultimedia-4.4.2-2.fc11,kdenetwork-4.4.2-1.fc11,kdepim-4.4.2-1.fc11,kdepim-runtime-4.4.2-1.fc11,kdepimlibs-4.4.2-1.fc11,kdeplasma-addons-4.4.2-1.fc11,kdesdk-4.4.2-1.fc11,kdetoys-4.4.2-1.fc11,kdeutils-4.4.2-1.fc11.1,oxygen-icon-theme-4.4.2-1.fc11,sip-4.10.1-2.fc11,PyQt4-4.7.2-2.fc11,konq-plugins-4.4.0-3.fc11 has been submitted as an update for Fedora 11.

Comment 28 Fedora Update System 2010-04-15 15:17:37 UTC
kdeaccessibility-4.4.2-1.fc12,kdeadmin-4.4.2-1.fc12,kdeartwork-4.4.2-1.fc12,kdebase-4.4.2-1.fc12,kdebase-runtime-4.4.2-1.fc12,kdebase-workspace-4.4.2-5.fc12,kdebindings-4.4.2-1.fc12,kdeedu-4.4.2-1.fc12,kdegames-4.4.2-1.fc12,kdegraphics-4.4.2-3.fc12,kdelibs-4.4.2-2.fc12,kdemultimedia-4.4.2-2.fc12,kdenetwork-4.4.2-1.fc12,kdepim-4.4.2-1.fc12,kdepim-runtime-4.4.2-1.fc12,kdepimlibs-4.4.2-1.fc12,kdeplasma-addons-4.4.2-1.fc12,kdesdk-4.4.2-1.fc12,kdetoys-4.4.2-1.fc12,kdeutils-4.4.2-1.fc12,oxygen-icon-theme-4.4.2-1.fc12,sip-4.10.1-2.fc12,PyQt4-4.7.2-2.fc12,konq-plugins-4.4.0-3.fc12 has been submitted as an update for Fedora 12.

Comment 29 Fedora Update System 2010-04-16 23:33:02 UTC
kdeaccessibility-4.4.2-1.fc12, kdeadmin-4.4.2-1.fc12, kdeartwork-4.4.2-1.fc12, kdebase-4.4.2-1.fc12, kdebase-runtime-4.4.2-1.fc12, kdebindings-4.4.2-1.fc12, kdeedu-4.4.2-1.fc12, kdegames-4.4.2-1.fc12, kdegraphics-4.4.2-3.fc12, kdemultimedia-4.4.2-2.fc12, kdenetwork-4.4.2-1.fc12, kdepim-4.4.2-1.fc12, kdepim-runtime-4.4.2-1.fc12, kdepimlibs-4.4.2-1.fc12, kdeplasma-addons-4.4.2-1.fc12, kdesdk-4.4.2-1.fc12, kdetoys-4.4.2-1.fc12, kdeutils-4.4.2-1.fc12, oxygen-icon-theme-4.4.2-1.fc12, sip-4.10.1-2.fc12, PyQt4-4.7.2-2.fc12, konq-plugins-4.4.0-3.fc12, kdebase-workspace-4.4.2-5.fc12, kdelibs-4.4.2-2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 30 Fedora Update System 2010-04-16 23:43:17 UTC
kdebase-workspace-4.4.2-5.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 31 Fedora Update System 2010-04-16 23:52:21 UTC
kdeaccessibility-4.4.2-1.fc11, kdeadmin-4.4.2-1.fc11, kdeartwork-4.4.2-1.fc11, kdebase-4.4.2-1.fc11, kdebase-runtime-4.4.2-1.fc11, kdebindings-4.4.2-1.fc11, kdeedu-4.4.2-1.fc11, kdegames-4.4.2-1.fc11, kdegraphics-4.4.2-3.fc11, kdemultimedia-4.4.2-2.fc11, kdenetwork-4.4.2-1.fc11, kdepim-4.4.2-1.fc11, kdepim-runtime-4.4.2-1.fc11, kdepimlibs-4.4.2-1.fc11, kdeplasma-addons-4.4.2-1.fc11, kdesdk-4.4.2-1.fc11, kdetoys-4.4.2-1.fc11, kdeutils-4.4.2-1.fc11.1, oxygen-icon-theme-4.4.2-1.fc11, sip-4.10.1-2.fc11, PyQt4-4.7.2-2.fc11, konq-plugins-4.4.0-3.fc11, kdebase-workspace-4.4.2-5.fc11, kdelibs-4.4.2-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.