A NULL pointer dereference flaw was found in the way KDE Display Manager (KDM) and the KCheckPass KDE's authentication program of KDE workspace, the desktop of the KDE desktop environment, used to handle crypt() routine failures when used on system where version of the glibc package was based on upstream 2.17 version or used on FIPS-140 enabled Linux system (cases when crypt() returned NULL for cases where password salt violated specifications). A local attacker could use this flaw to cause KDM or KCheckPass denial of service. Upstream bug report: [1] https://git.reviewboard.kde.org/r/111261/ Relevant patches: [2] https://projects.kde.org/projects/kde/kde-workspace/repository/revisions/45b7f137fbc0b942fd2c9b4e8d8c1f0293e64ba7 [3] https://projects.kde.org/projects/kde/kde-workspace/repository/revisions/7777194da6154375fc8103b8c4e29e385cd7ae2e References: [4] http://www.openwall.com/lists/oss-security/2013/07/16/4 [5] http://www.openwall.com/lists/oss-security/2013/07/16/7
This issue previously affected the versions of the kde-workspace package, as shipped with Fedora release of 17, 18, and 19. But updates have been already created (in -candidate repository currently), correcting this flaw.
Statement: Not Vulnerable. This issue does not affect the version of kdebase package as shipped with Red Hat Enterprise Linux 5. This issue does not affect the version of kdebase-workspace package as shipped with Red Hat Enterprise Linux 6.