GLSA 200311-01: kdebase: KDM vulnerabilities
| Severity: | normal |
| Title: | kdebase: KDM vulnerabilities |
| Date: | 11/15/2003 |
| Bugs: | |
| ID: | 200311-01 |
Synopsis
A bug in KDM can allow privilege escalation with certain configurations of PAM modules.Background
KDM is the desktop manager included with the K Desktop Environment.
Affected packages
| Package | Vulnerable | Unaffected | Architecture(s) |
|---|---|---|---|
| kde-base/kdebase | <= 3.1.3 | >= 3.1.4 | All supported architectures |
Description
Firstly, versions of KDM <=3.1.3 are vulnerable to a privilege escalation bug with a specific configuration of PAM modules. Users who do not use PAM with KDM and users who use PAM with regular Unix crypt/MD5 based authentication methods are not affected.
Secondly, KDM uses a weak cookie generation algorithm. Users are advised to upgrade to KDE 3.1.4, which uses /dev/urandom as a non-predictable source of entropy to improve security.
Impact
A remote or local attacker could gain root privileges.
Workaround
There is no known workaround at this time.
Resolution
It is recommended that all Gentoo Linux users who are running kde-base/kdebase <=3.1.3 upgrade:
# emerge sync
# emerge -pv '>=kde-base/kde-3.1.4'
# emerge '>=kde-base/kde-3.1.4'
# emerge clean
References
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.