Dirk Mueller from KDE project has provided us with preview of upcoming KDE
security advisory for kdm:
KDE Security Advisory: KDM passwordless login vulnerability
Original Release Date: 2007-09-19
1. Systems affected:
KDM as shipped with KDE 3.3.0 up to including 3.5.7. KDE 3.2.x and
older and newer versions than KDE 3.5.7 are not affected.
KDM can be tricked into performing a password-less login even for
accounts with a password set under certain circumstances. It
requires autologin to be configured and
"shutdown with password" enabled.
This vulnerability was discovered and reported by C. Huijgen.
KDM might allow a normal user to login as another user or even
root without properly supplying login credentials.
Source code patches have been made available which fix these
vulnerabilities. Contact your OS vendor / binary package provider
for information about how to obtain updated binary packages.
A patch for KDE 3.3.0 - KDE 3.5.7 is available from
Created attachment 193281 [details]
Upstream patch: post-3.5.7-kdebase-kdm.diff
Correct reporter name should be: 'Kees Huijgen'
Issue is public now, lifting embargo:
This issue was addressed in:
Red Hat Enterprise Linux: