GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Sun Oct 14, 2007 10:26 pm Post subject: [ GLSA 200710-15 ] KDM: Local privilege escalation |
 |
|
Gentoo Linux Security Advisory
Title: KDM: Local privilege escalation (GLSA 200710-15)
Severity: high
Exploitable: local
Date: October 14, 2007
Bug(s): #192373
ID: 200710-15
Synopsis
KDM allows logins without password under certain circumstances allowing a local user to gain elevated privileges.
Background
KDM is the Display Manager for the graphical desktop environment KDE. It is part of the kdebase package.
Affected Packages
Package: kde-base/kdm
Vulnerable: < 3.5.7-r2
Unaffected: >= 3.5.7-r2
Architectures: All supported architectures
Package: kde-base/kdebase
Vulnerable: < 3.5.7-r4
Unaffected: >= 3.5.7-r4
Architectures: All supported architectures
Description
Kees Huijgen discovered an error when checking the credentials which can lead to a login without specifying a password. This only occurs when auto login is configured for at least one user and a password is required to shut down the machine.
Impact
A local attacker could gain root privileges and execute arbitrary commands by logging in as root without specifying root's password.
Workaround
There is no known workaround at this time.
Resolution
All KDM users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=kde-base/kdm-3.5.7-r2" |
All kdebase users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=kde-base/kdebase-3.5.7-r4" |
References
CVE-2007-4569 |
|
News & Announcements
