Bug 985355 - (CVE-2013-4132) CVE-2013-4132 kde-workspace: NULL pointer dereference in KDM and KCheckPass when glibc 2.17 or FIPS-140 enabled system used
CVE-2013-4132 kde-workspace: NULL pointer dereference in KDM and KCheckPass w...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20130629,reported=2...
: Security
Depends On: 985365
Blocks: 985389
  Show dependency treegraph
 
Reported: 2013-07-17 06:40 EDT by Jan Lieskovsky
Modified: 2016-03-04 06:53 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-01 00:55:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2013-07-17 06:40:31 EDT
A NULL pointer dereference flaw was found in the way KDE Display Manager (KDM) and the KCheckPass KDE's authentication program of KDE workspace, the desktop of the KDE desktop environment, used to handle crypt() routine failures when used on system where version of the glibc package was based on upstream 2.17 version or used on FIPS-140 enabled Linux system (cases when crypt() returned NULL for cases where password salt violated specifications). A local attacker could use this flaw to cause KDM or KCheckPass denial of service.

Upstream bug report:
[1] https://git.reviewboard.kde.org/r/111261/

Relevant patches:
[2] https://projects.kde.org/projects/kde/kde-workspace/repository/revisions/45b7f137fbc0b942fd2c9b4e8d8c1f0293e64ba7
[3] https://projects.kde.org/projects/kde/kde-workspace/repository/revisions/7777194da6154375fc8103b8c4e29e385cd7ae2e

References:
[4] http://www.openwall.com/lists/oss-security/2013/07/16/4
[5] http://www.openwall.com/lists/oss-security/2013/07/16/7
Comment 1 Jan Lieskovsky 2013-07-17 06:45:21 EDT
This issue previously affected the versions of the kde-workspace package, as shipped with Fedora release of 17, 18, and 19. But updates have been already created (in -candidate repository currently), correcting this flaw.
Comment 4 Huzaifa S. Sidhpurwala 2013-08-01 00:42:39 EDT
Statement:

Not Vulnerable. This issue does not affect the version of kdebase package as shipped with Red Hat Enterprise Linux 5. This issue does not affect the version of kdebase-workspace package as shipped with Red Hat Enterprise Linux 6.

Note You need to log in before you can comment on or make changes to this bug.