Ubuntu
kdebase package

[Security] KDM Password-less login vulnerability

Bug #141378 reported by Rich Johnson on 2007-09-20

256

Affects		Status	Importance	Assigned to	Milestone
	kdebase (Ubuntu)	Fix Released	High	Unassigned	Ubuntu ubuntu-7.10-rc
	Dapper	Fix Released	High	Kees Cook
	Edgy	Fix Released	High	Kees Cook
	Feisty	Fix Released	High	Kees Cook
	Gutsy	Fix Released	High	Unassigned	Ubuntu ubuntu-7.10-rc

Bug Description

Binary package hint: kdebase

KDE Security Advisory: KDM passwordless login vulnerability
Original Release Date: 2007-09-19
URL: http://www.kde.org/info/security/advisory-20070919-1.txt

0. References
CVE-2007-4569

1. Systems affected:

KDM as shipped with KDE 3.3.0 up to including 3.5.7. KDE 3.2.x and
older and newer versions than KDE 3.5.7 are not affected.

2. Overview:

KDM can be tricked into performing a password-less login even for
accounts with a password set under certain circumstances, namely
autologin to be configured and "shutdown with password" enabled.

This vulnerability was discovered and reported by Kees Huijgen.

3. Impact:

KDM might allow a normal user to login as another user or even
root without properly supplying login credentials.

4. Solution:

        Source code patches have been made available which fix these
        vulnerabilities. Contact your OS vendor / binary package provider
        for information about how to obtain updated binary packages.

5. Patch:

A patch for KDE 3.5.0 - KDE 3.5.7 is available from
ftp://ftp.kde.org/pub/kde/security_patches :

ee6c57046902c5b5a32a4699558baafc post-3.5.7-kdebase-kdm.diff

A patch for KDE 3.3.0 - KDE 3.4.2 is available from
ftp://ftp.kde.org/pub/kde/security_patches :

ad7333a336bdbaef7fae5e74cd12119b post-3.4.2-kdebase-kdm.diff

CVE References

2007-4569

Revision history for this message

Rich Johnson (nixternal) wrote on 2007-09-20:

#1

Affects Dapper through Gutsy - I am working on debdiffs now for Dapper through Feisty. Gutsy update will be done normally seeing as there will be other updates with it.

Changed in kdebase:
assignee:	nobody → nixternal

Revision history for this message

Rich Johnson (nixternal) wrote on 2007-09-20:

#2

dapper_kdm_security_fix.debdiff Edit (2.9 KiB, text/plain)

Revision history for this message

Rich Johnson (nixternal) wrote on 2007-09-20:

#3

edgy_kdm_security_fix.debdiff Edit (2.9 KiB, text/plain)

Revision history for this message

Rich Johnson (nixternal) wrote on 2007-09-20:

#4

feisty_kdm_security_fix.debdiff Edit (2.9 KiB, text/plain)

Revision history for this message

Rich Johnson (nixternal) wrote on 2007-09-22:

#5

any status on this?

Revision history for this message

Kees Cook (kees) wrote on 2007-09-24:

#6

Sorry for the delay -- this should be published shortly.

Revision history for this message

Kees Cook (kees) wrote on 2007-09-28:

#7

Dapper, Edgy, Feisty updated by USN-517-1: http://www.ubuntu.com/usn/usn-517-1

Changed in kdebase:
assignee:	nixternal → jr
importance:	Undecided → High
status:	New → Triaged
assignee:	nobody → keescook
importance:	Undecided → High
status:	New → Fix Released
assignee:	nobody → keescook
importance:	Undecided → High
status:	New → Fix Released
assignee:	nobody → keescook
importance:	Undecided → High
status:	New → Fix Released

Revision history for this message

Sarah Kowalik (hobbsee-deactivatedaccount) wrote on 2007-09-29:

#8

Download full text (3.5 KiB)

********* *BEGIN ENCRYPTED or SIGNED PART* *********

Format: 1.7
Date: Fri, 28 Sep 2007 18:56:10 +1000
Source: kdebase
Binary: kdesktop kcontrol kpersonalizer kdm kdebase-doc-html kdebase-dbg klipper kappfinder kdebase-doc kdebase kmenuedit kicker libkonq4 konqueror-nsplugins kdebase-bin kdebase-dev ksplash kdeprint libkonq4-dev kwin kdepasswd ksmserver kfind kdebase-kio-plugins kpager khelpcenter kate ksysguard konqueror ktip ksysguardd kdebase-data konsole
Architecture: source
Version: 4:3.5.7-1ubuntu24
Distribution: gutsy
Urgency: low
Maintainer: Jonathan Riddell <email address hidden>
Changed-By: Sarah Hobbs <email address hidden>
Description:
kappfinder - non-KDE application finder for KDE
kate - advanced text editor for KDE
kcontrol - control center for KDE
kdebase - base components from the official KDE release
kdebase-bin - core binaries for the KDE base module
kdebase-data - shared data files for the KDE base module
kdebase-dbg - debugging symbols for kdebase
kdebase-dev - development files for the KDE base module
kdebase-doc - developer documentation for the KDE base module
kdebase-doc-html - KDE base documentation in HTML format
kdebase-kio-plugins - core I/O slaves for KDE
kdepasswd - password changer for KDE
kdeprint - print system for KDE
kdesktop - miscellaneous binaries and files for the KDE desktop
kdm - X display manager for KDE
kfind - file-find utility for KDE
khelpcenter - help center for KDE
kicker - desktop panel for KDE
klipper - clipboard utility for KDE
kmenuedit - menu editor for KDE
konqueror - KDE's advanced file manager, web browser and document viewer
konqueror-nsplugins - Netscape plugin support for Konqueror
konsole - X terminal emulator for KDE
kpager - desktop pager for KDE
kpersonalizer - installation personalizer for KDE
ksmserver - session manager for KDE
ksplash - the KDE splash screen
ksysguard - system guard for KDE
ksysguardd - system guard daemon for KDE
ktip - useful tips for KDE
kwin - the KDE window manager
libkonq4 - core libraries for Konqueror
libkonq4-dev - development files for Konqueror's core libraries
Launchpad-Bugs-Fixed: 107694 139893 141628
Changes:
kdebase (4:3.5.7-1ubuntu24) gutsy; urgency=low
.
   [ Richard A. Johnson ]
   * SECURITY UPDATE: KDM password-less login
   * KDM can be tricked into performing a password-less login even for accounts
     with a password set under certain circumstances, namely autologin to be
     configured and "shutdown with password" enabled.
   * Add kubuntu_sec_03_kdm_pwless_login.diff for session.c to fix KDM
     password-less and autologin configuration.
   * References:
     - http://www.kde.org/info/security/advisory-20070919-1.txt
     - CVE-2007-4569
   * Updated debian/kubuntu_33_kubuntuify_about.diff - changed link to Kubuntu
     Documentation so Konqueror startpage links work correctly
.
   [ Sarah Hobbs ]
   * Added kubuntu_17_check_for_prelinking.diff. (Closes LP: #107694)
   * Added konqueror dependancy for konqueror-nsplugins. (LP: #139893)
   * Added kubuntu_fix_kscreensaver_w...

********* *BEGIN ENCRYPTED or SIGNED PART* *********

Format: 1.7
Date: Fri, 28 Sep 2007 18:56:10 +1000
Source: kdebase
Binary: kdesktop kcontrol kpersonalizer kdm kdebase-doc-html kdebase-dbg klipper kappfinder kdebase-doc kdebase kmenuedit kicker libkonq4 konqueror-nsplugins kdebase-bin kdebase-dev ksplash kdeprint libkonq4-dev kwin kdepasswd ksmserver kfind kdebase-kio-plugins kpager khelpcenter kate ksysguard konqueror ktip ksysguardd kdebase-data konsole
Architecture: source
Version: 4:3.5.7-1ubuntu24
Distribution: gutsy
Urgency: low
Maintainer: Jonathan Riddell <jriddell@ubuntu.com>
Changed-By: Sarah Hobbs <hobbsee@ubuntu.com>
Description:
 kappfinder - non-KDE application finder for KDE
 kate       - advanced text editor for KDE
 kcontrol   - control center for KDE
 kdebase    - base components from the official KDE release
 kdebase-bin - core binaries for the KDE base module
 kdebase-data - shared data files for the KDE base module
 kdebase-dbg - debugging symbols for kdebase
 kdebase-dev - development files for the KDE base module
 kdebase-doc - developer documentation for the KDE base module
 kdebase-doc-html - KDE base documentation in HTML format
 kdebase-kio-plugins - core I/O slaves for KDE
 kdepasswd  - password changer for KDE
 kdeprint   - print system for KDE
 kdesktop   - miscellaneous binaries and files for the KDE desktop
 kdm        - X display manager for KDE
 kfind      - file-find utility for KDE
 khelpcenter - help center for KDE
 kicker     - desktop panel for KDE
 klipper    - clipboard utility for KDE
 kmenuedit  - menu editor for KDE
 konqueror  - KDE's advanced file manager, web browser and document viewer
 konqueror-nsplugins - Netscape plugin support for Konqueror
 konsole    - X terminal emulator for KDE
 kpager     - desktop pager for KDE
 kpersonalizer - installation personalizer for KDE
 ksmserver  - session manager for KDE
 ksplash    - the KDE splash screen
 ksysguard  - system guard for KDE
 ksysguardd - system guard daemon for KDE
 ktip       - useful tips for KDE
 kwin       - the KDE window manager
 libkonq4   - core libraries for Konqueror
 libkonq4-dev - development files for Konqueror's core libraries
Launchpad-Bugs-Fixed: 107694 139893 141628
Changes:
 kdebase (4:3.5.7-1ubuntu24) gutsy; urgency=low
 .
   [ Richard A. Johnson ]
   * SECURITY UPDATE: KDM password-less login
   * KDM can be tricked into performing a password-less login even for accounts
     with a password set under certain circumstances, namely autologin to be
     configured and "shutdown with password" enabled.
   * Add kubuntu_sec_03_kdm_pwless_login.diff for session.c to fix KDM
     password-less and autologin configuration.
   * References:
     - http://www.kde.org/info/security/advisory-20070919-1.txt
     - CVE-2007-4569
   * Updated debian/kubuntu_33_kubuntuify_about.diff - changed link to Kubuntu
     Documentation so Konqueror startpage links work correctly
 .
   [ Sarah Hobbs ]
   * Added kubuntu_17_check_for_prelinking.diff. (Closes LP: #107694)
   * Added konqueror dependancy for konqueror-nsplugins. (LP: #139893)
   * Added kubuntu_fix_kscreensaver_with_compiz_fixed_in_3.5.8.diff (LP:
     #141628)
Files:
 8b09d17d28d45938f1f77735a073496f 2190 kde optional kdebase_3.5.7-1ubuntu24.dsc
 f9dd93e76d4f5d00e9b8c52005ff5e26 597268 kde optional kdebase_3.5.7-1ubuntu24.diff.gz
Original-Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>

********** *END ENCRYPTED or SIGNED PART* **********

Changed in kdebase:
assignee:	jr → hobbsee
status:	Triaged → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.