Bug 570613 - (CVE-2010-0436) CVE-2010-0436 kdm privilege escalation flaw
CVE-2010-0436 kdm privilege escalation flaw
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
: 570026 (view as bug list)
Depends On: 570620 570621 570622 570624 570625
  Show dependency treegraph
Reported: 2010-03-04 16:05 EST by Josh Bressers
Modified: 2015-08-19 04:44 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-06-25 05:55:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Current proposed patch from upstream (5.02 KB, patch)
2010-03-04 16:21 EST, Josh Bressers
no flags Details | Diff
latest patch provided by upstream (7.01 KB, patch)
2010-03-15 11:39 EDT, Vincent Danen
no flags Details | Diff
Initial upstream patch [1/2] (1.36 KB, patch)
2010-03-19 06:31 EDT, Tomas Hoger
no flags Details | Diff
Initial upstream patch [2/2] (3.67 KB, patch)
2010-03-19 06:32 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Josh Bressers 2010-03-04 16:05:29 EST
Sebastian Krahmer from the SUSE security team discovered a privilege escalation flaw in the KDE Display Manager (kdm).

kdm uses a user owned directory to store a command socket. If the local user can prevent this directory from being removed, they can create a race condition with ksm that could result in setting an arbitrary file on the filesystem to have word writable permissions.

A local user with access to a console running kdm could use this flaw to gain superuser access.
Comment 2 Josh Bressers 2010-03-04 16:21:44 EST
Created attachment 397924 [details]
Current proposed patch from upstream

I'm not 100% sure this will be the final patch. I'll be sure to upload a new patch as soon as I hear more from upstream.
Comment 8 Vincent Danen 2010-03-15 11:39:01 EDT
Created attachment 400244 [details]
latest patch provided by upstream

This is the latest patch as provided to vendors.  I'd like to say it obsoletes the previous patch, but I'm not 100% sure that it does because it's quite different.
Comment 9 Tomas Hoger 2010-03-19 06:31:48 EDT
Created attachment 401213 [details]
Initial upstream patch [1/2]

The idea of patch in comment #2 seems to have been abandoned and the fix in comment #8 is heading the same direction as the initially proposed patch - instead of chowning directory (/var/run/xdmctl/dmctl-$DISPLAY), it rather chowns socket (/var/run/xdmctl/dmctl-$DISPLAY/socket).

As some systems reportedly do not honour file permissions on socket files, the patch in comment #8 adds extra fallback mechanism for those systems, while initial patch only caused configure to fail on such systems.

I'm attaching initial upstream patch, as it does not have that extra fallback not needed on Linux and that won't be compiled in anyway.  This should be a better starting point for our backports.
Comment 10 Tomas Hoger 2010-03-19 06:32:19 EDT
Created attachment 401214 [details]
Initial upstream patch [2/2]
Comment 13 Tomas Hoger 2010-03-19 07:02:37 EDT

Red Hat would like to thank Sebastian Krahmer of SuSE Security Team for responsibly reporting this issue.
Comment 24 Tomas Hoger 2010-04-13 11:23:15 EDT
Public now via:
Comment 25 errata-xmlrpc 2010-04-14 06:08:42 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2010:0348 https://rhn.redhat.com/errata/RHSA-2010-0348.html
Comment 26 Fedora Update System 2010-04-15 11:08:24 EDT
kdebase-workspace-4.4.2-5.fc13 has been submitted as an update for Fedora 13.
Comment 27 Fedora Update System 2010-04-15 11:14:39 EDT
kdeaccessibility-4.4.2-1.fc11,kdeadmin-4.4.2-1.fc11,kdeartwork-4.4.2-1.fc11,kdebase-4.4.2-1.fc11,kdebase-runtime-4.4.2-1.fc11,kdebase-workspace-4.4.2-5.fc11,kdebindings-4.4.2-1.fc11,kdeedu-4.4.2-1.fc11,kdegames-4.4.2-1.fc11,kdegraphics-4.4.2-3.fc11,kdelibs-4.4.2-2.fc11,kdemultimedia-4.4.2-2.fc11,kdenetwork-4.4.2-1.fc11,kdepim-4.4.2-1.fc11,kdepim-runtime-4.4.2-1.fc11,kdepimlibs-4.4.2-1.fc11,kdeplasma-addons-4.4.2-1.fc11,kdesdk-4.4.2-1.fc11,kdetoys-4.4.2-1.fc11,kdeutils-4.4.2-1.fc11.1,oxygen-icon-theme-4.4.2-1.fc11,sip-4.10.1-2.fc11,PyQt4-4.7.2-2.fc11,konq-plugins-4.4.0-3.fc11 has been submitted as an update for Fedora 11.
Comment 28 Fedora Update System 2010-04-15 11:17:37 EDT
kdeaccessibility-4.4.2-1.fc12,kdeadmin-4.4.2-1.fc12,kdeartwork-4.4.2-1.fc12,kdebase-4.4.2-1.fc12,kdebase-runtime-4.4.2-1.fc12,kdebase-workspace-4.4.2-5.fc12,kdebindings-4.4.2-1.fc12,kdeedu-4.4.2-1.fc12,kdegames-4.4.2-1.fc12,kdegraphics-4.4.2-3.fc12,kdelibs-4.4.2-2.fc12,kdemultimedia-4.4.2-2.fc12,kdenetwork-4.4.2-1.fc12,kdepim-4.4.2-1.fc12,kdepim-runtime-4.4.2-1.fc12,kdepimlibs-4.4.2-1.fc12,kdeplasma-addons-4.4.2-1.fc12,kdesdk-4.4.2-1.fc12,kdetoys-4.4.2-1.fc12,kdeutils-4.4.2-1.fc12,oxygen-icon-theme-4.4.2-1.fc12,sip-4.10.1-2.fc12,PyQt4-4.7.2-2.fc12,konq-plugins-4.4.0-3.fc12 has been submitted as an update for Fedora 12.
Comment 29 Fedora Update System 2010-04-16 19:33:02 EDT
kdeaccessibility-4.4.2-1.fc12, kdeadmin-4.4.2-1.fc12, kdeartwork-4.4.2-1.fc12, kdebase-4.4.2-1.fc12, kdebase-runtime-4.4.2-1.fc12, kdebindings-4.4.2-1.fc12, kdeedu-4.4.2-1.fc12, kdegames-4.4.2-1.fc12, kdegraphics-4.4.2-3.fc12, kdemultimedia-4.4.2-2.fc12, kdenetwork-4.4.2-1.fc12, kdepim-4.4.2-1.fc12, kdepim-runtime-4.4.2-1.fc12, kdepimlibs-4.4.2-1.fc12, kdeplasma-addons-4.4.2-1.fc12, kdesdk-4.4.2-1.fc12, kdetoys-4.4.2-1.fc12, kdeutils-4.4.2-1.fc12, oxygen-icon-theme-4.4.2-1.fc12, sip-4.10.1-2.fc12, PyQt4-4.7.2-2.fc12, konq-plugins-4.4.0-3.fc12, kdebase-workspace-4.4.2-5.fc12, kdelibs-4.4.2-2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 30 Fedora Update System 2010-04-16 19:43:17 EDT
kdebase-workspace-4.4.2-5.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 31 Fedora Update System 2010-04-16 19:52:21 EDT
kdeaccessibility-4.4.2-1.fc11, kdeadmin-4.4.2-1.fc11, kdeartwork-4.4.2-1.fc11, kdebase-4.4.2-1.fc11, kdebase-runtime-4.4.2-1.fc11, kdebindings-4.4.2-1.fc11, kdeedu-4.4.2-1.fc11, kdegames-4.4.2-1.fc11, kdegraphics-4.4.2-3.fc11, kdemultimedia-4.4.2-2.fc11, kdenetwork-4.4.2-1.fc11, kdepim-4.4.2-1.fc11, kdepim-runtime-4.4.2-1.fc11, kdepimlibs-4.4.2-1.fc11, kdeplasma-addons-4.4.2-1.fc11, kdesdk-4.4.2-1.fc11, kdetoys-4.4.2-1.fc11, kdeutils-4.4.2-1.fc11.1, oxygen-icon-theme-4.4.2-1.fc11, sip-4.10.1-2.fc11, PyQt4-4.7.2-2.fc11, konq-plugins-4.4.0-3.fc11, kdebase-workspace-4.4.2-5.fc11, kdelibs-4.4.2-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.