Sebastian Krahmer from the SUSE security team discovered a privilege escalation flaw in the KDE Display Manager (kdm). kdm uses a user owned directory to store a command socket. If the local user can prevent this directory from being removed, they can create a race condition with ksm that could result in setting an arbitrary file on the filesystem to have word writable permissions. A local user with access to a console running kdm could use this flaw to gain superuser access.
Created attachment 397924 [details] Current proposed patch from upstream I'm not 100% sure this will be the final patch. I'll be sure to upload a new patch as soon as I hear more from upstream.
Created attachment 400244 [details] latest patch provided by upstream This is the latest patch as provided to vendors. I'd like to say it obsoletes the previous patch, but I'm not 100% sure that it does because it's quite different.
Created attachment 401213 [details] Initial upstream patch [1/2] The idea of patch in comment #2 seems to have been abandoned and the fix in comment #8 is heading the same direction as the initially proposed patch - instead of chowning directory (/var/run/xdmctl/dmctl-$DISPLAY), it rather chowns socket (/var/run/xdmctl/dmctl-$DISPLAY/socket). As some systems reportedly do not honour file permissions on socket files, the patch in comment #8 adds extra fallback mechanism for those systems, while initial patch only caused configure to fail on such systems. I'm attaching initial upstream patch, as it does not have that extra fallback not needed on Linux and that won't be compiled in anyway. This should be a better starting point for our backports.
Created attachment 401214 [details] Initial upstream patch [2/2]
Acknowledgements: Red Hat would like to thank Sebastian Krahmer of SuSE Security Team for responsibly reporting this issue.
Public now via: http://www.kde.org/info/security/advisory-20100413-1.txt
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2010:0348 https://rhn.redhat.com/errata/RHSA-2010-0348.html
kdebase-workspace-4.4.2-5.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/kdebase-workspace-4.4.2-5.fc13
kdeaccessibility-4.4.2-1.fc11,kdeadmin-4.4.2-1.fc11,kdeartwork-4.4.2-1.fc11,kdebase-4.4.2-1.fc11,kdebase-runtime-4.4.2-1.fc11,kdebase-workspace-4.4.2-5.fc11,kdebindings-4.4.2-1.fc11,kdeedu-4.4.2-1.fc11,kdegames-4.4.2-1.fc11,kdegraphics-4.4.2-3.fc11,kdelibs-4.4.2-2.fc11,kdemultimedia-4.4.2-2.fc11,kdenetwork-4.4.2-1.fc11,kdepim-4.4.2-1.fc11,kdepim-runtime-4.4.2-1.fc11,kdepimlibs-4.4.2-1.fc11,kdeplasma-addons-4.4.2-1.fc11,kdesdk-4.4.2-1.fc11,kdetoys-4.4.2-1.fc11,kdeutils-4.4.2-1.fc11.1,oxygen-icon-theme-4.4.2-1.fc11,sip-4.10.1-2.fc11,PyQt4-4.7.2-2.fc11,konq-plugins-4.4.0-3.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/kdeaccessibility-4.4.2-1.fc11,kdeadmin-4.4.2-1.fc11,kdeartwork-4.4.2-1.fc11,kdebase-4.4.2-1.fc11,kdebase-runtime-4.4.2-1.fc11,kdebase-workspace-4.4.2-5.fc11,kdebindings-4.4.2-1.fc11,kdeedu-4.4.2-1.fc11,kdegames-4.4.2-1.fc11,kdegraphics-4.4.2-3.fc11,kdelibs-4.4.2-2.fc11,kdemultimedia-4.4.2-2.fc11,kdenetwork-4.4.2-1.fc11,kdepim-4.4.2-1.fc11,kdepim-runtime-4.4.2-1.fc11,kdepimlibs-4.4.2-1.fc11,kdeplasma-addons-4.4.2-1.fc11,kdesdk-4.4.2-1.fc11,kdetoys-4.4.2-1.fc11,kdeutils-4.4.2-1.fc11.1,oxygen-icon-theme-4.4.2-1.fc11,sip-4.10.1-2.fc11,PyQt4-4.7.2-2.fc11,konq-plugins-4.4.0-3.fc11
kdeaccessibility-4.4.2-1.fc12,kdeadmin-4.4.2-1.fc12,kdeartwork-4.4.2-1.fc12,kdebase-4.4.2-1.fc12,kdebase-runtime-4.4.2-1.fc12,kdebase-workspace-4.4.2-5.fc12,kdebindings-4.4.2-1.fc12,kdeedu-4.4.2-1.fc12,kdegames-4.4.2-1.fc12,kdegraphics-4.4.2-3.fc12,kdelibs-4.4.2-2.fc12,kdemultimedia-4.4.2-2.fc12,kdenetwork-4.4.2-1.fc12,kdepim-4.4.2-1.fc12,kdepim-runtime-4.4.2-1.fc12,kdepimlibs-4.4.2-1.fc12,kdeplasma-addons-4.4.2-1.fc12,kdesdk-4.4.2-1.fc12,kdetoys-4.4.2-1.fc12,kdeutils-4.4.2-1.fc12,oxygen-icon-theme-4.4.2-1.fc12,sip-4.10.1-2.fc12,PyQt4-4.7.2-2.fc12,konq-plugins-4.4.0-3.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/kdeaccessibility-4.4.2-1.fc12,kdeadmin-4.4.2-1.fc12,kdeartwork-4.4.2-1.fc12,kdebase-4.4.2-1.fc12,kdebase-runtime-4.4.2-1.fc12,kdebase-workspace-4.4.2-5.fc12,kdebindings-4.4.2-1.fc12,kdeedu-4.4.2-1.fc12,kdegames-4.4.2-1.fc12,kdegraphics-4.4.2-3.fc12,kdelibs-4.4.2-2.fc12,kdemultimedia-4.4.2-2.fc12,kdenetwork-4.4.2-1.fc12,kdepim-4.4.2-1.fc12,kdepim-runtime-4.4.2-1.fc12,kdepimlibs-4.4.2-1.fc12,kdeplasma-addons-4.4.2-1.fc12,kdesdk-4.4.2-1.fc12,kdetoys-4.4.2-1.fc12,kdeutils-4.4.2-1.fc12,oxygen-icon-theme-4.4.2-1.fc12,sip-4.10.1-2.fc12,PyQt4-4.7.2-2.fc12,konq-plugins-4.4.0-3.fc12
kdeaccessibility-4.4.2-1.fc12, kdeadmin-4.4.2-1.fc12, kdeartwork-4.4.2-1.fc12, kdebase-4.4.2-1.fc12, kdebase-runtime-4.4.2-1.fc12, kdebindings-4.4.2-1.fc12, kdeedu-4.4.2-1.fc12, kdegames-4.4.2-1.fc12, kdegraphics-4.4.2-3.fc12, kdemultimedia-4.4.2-2.fc12, kdenetwork-4.4.2-1.fc12, kdepim-4.4.2-1.fc12, kdepim-runtime-4.4.2-1.fc12, kdepimlibs-4.4.2-1.fc12, kdeplasma-addons-4.4.2-1.fc12, kdesdk-4.4.2-1.fc12, kdetoys-4.4.2-1.fc12, kdeutils-4.4.2-1.fc12, oxygen-icon-theme-4.4.2-1.fc12, sip-4.10.1-2.fc12, PyQt4-4.7.2-2.fc12, konq-plugins-4.4.0-3.fc12, kdebase-workspace-4.4.2-5.fc12, kdelibs-4.4.2-2.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
kdebase-workspace-4.4.2-5.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
kdeaccessibility-4.4.2-1.fc11, kdeadmin-4.4.2-1.fc11, kdeartwork-4.4.2-1.fc11, kdebase-4.4.2-1.fc11, kdebase-runtime-4.4.2-1.fc11, kdebindings-4.4.2-1.fc11, kdeedu-4.4.2-1.fc11, kdegames-4.4.2-1.fc11, kdegraphics-4.4.2-3.fc11, kdemultimedia-4.4.2-2.fc11, kdenetwork-4.4.2-1.fc11, kdepim-4.4.2-1.fc11, kdepim-runtime-4.4.2-1.fc11, kdepimlibs-4.4.2-1.fc11, kdeplasma-addons-4.4.2-1.fc11, kdesdk-4.4.2-1.fc11, kdetoys-4.4.2-1.fc11, kdeutils-4.4.2-1.fc11.1, oxygen-icon-theme-4.4.2-1.fc11, sip-4.10.1-2.fc11, PyQt4-4.7.2-2.fc11, konq-plugins-4.4.0-3.fc11, kdebase-workspace-4.4.2-5.fc11, kdelibs-4.4.2-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.