SuSE: 'kdesu' vulnerability


______________________________________________________________________________

                        SuSE Security Announcement

        Package:                kdesu
        Announcement-ID:        SuSE-SA:2001:02
        Date:
        Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0
        Vulnerability Type:     local root compromise
        Severity (1-10):        3
        SuSE default package:   yes
        Other affected systems: All KDE 1 & KDE 2 systems

    Content of this advisory:
        1) security vulnerability resolved: kdesu
           problem description, discussion, solution and upgrade information
        2) pending vulnerabilities, solutions, workarounds
        3) standard appendix (further information)

______________________________________________________________________________

1)  problem description, brief discussion, solution, upgrade information


    kdesu is a KDE frontend for su(1). When invoked it prompts for the
    root password and runs su(1). kdesu itself does not run setuid/setgid.

    However when enabling the 'keep password' option it tries to send
    the password across process boundaries to kdesud via a UNIX socket.
    During this it does not verify the identity of the listener on the other
    end. This allows attackers to obtain the root password.


    This bug has been fixed in the update packages by checking the ownership
    of the socket on the listener side.

    Download the update package from locations desribed below and install
    the package with the command `rpm -Uhv file.rpm'. The md5sum for each
    file is in the line below. You can verify the integrity of the rpm
    files using the command
        `rpm --checksig --nogpg file.rpm',
    independently from the md5 signatures below.


    i386 Intel Platform:

    SuSE-6.1:
      
      3d51f84f2dc87916bc937f3afe507c1a

    SuSE-6.1:
      
      3d51f84f2dc87916bc937f3afe507c1a

    source rpm:
      
      f8764afd475fa7a41c18603d15ce48ab

    SuSE-6.2:
      
      027617e19c957b1ed5f42f140b62521b

    SuSE-6.2:
      
      027617e19c957b1ed5f42f140b62521b

    source rpm:
      
      9cf3d4b0c00db4598968dd5c7e07eef7

    SuSE-6.3:
      
      d2b6c6f3330a20c2eb7d5500de2f9df6

    SuSE-6.3:
      
      d2b6c6f3330a20c2eb7d5500de2f9df6

    source rpm:
      
      a50cc8ba1a793f9151559454fdad0a14

    SuSE-6.4:
      
      8f06dd49bdc00dca25eff33a3754ddee

    SuSE-6.4:
      
      8f06dd49bdc00dca25eff33a3754ddee

    source rpm:
      
      0ca2d30cf51d1307f88581d4e240bbf0

    SuSE-7.0:
      
      c7238ea5775939239b3857b550ca9f1b

    SuSE-7.0:
      
      c7238ea5775939239b3857b550ca9f1b

    source rpm:
      
      bc74c75ba0b514f7df4f0250ccc7454a



    Sparc Platform:



    AXP Alpha Platform:

    SuSE-6.1:
      
      8017cd7fed463cae4bef3fa471e7e1d8

    SuSE-6.1:
      
      8017cd7fed463cae4bef3fa471e7e1d8

    source rpm:
      
      78846e4ae3f50e9264e8840da1a628a8

    SuSE-6.3:
      
      cf1629ba236c0c84e0f2b33101b5f1aa

    SuSE-6.3:
      
      cf1629ba236c0c84e0f2b33101b5f1aa

    source rpm:
      
      da851ebaee36cb91cb1e1fca0c8bfda2

    SuSE-6.4:
      
      d1904cc9db320ea2c576b73633ee6bd5

    SuSE-6.4:
      
      d1904cc9db320ea2c576b73633ee6bd5

    source rpm:
      
      27261cf8ff0ea66a597520260b832f7d

    SuSE-7.0:
      
      be3b258eeeb3c56351b93ec8a32826db

    SuSE-7.0:
      
      be3b258eeeb3c56351b93ec8a32826db

    source rpm:
      
      b7e3139377784c5cbbc4f14a5061d124



    PPC Power PC Platform:

    SuSE-6.4:
      
      705afa4defc64c48f89dd94b2d52c296

    SuSE-6.4:
      
      705afa4defc64c48f89dd94b2d52c296

    source rpm:
      
      32e626fa7e8206d6803957c77062185b

    SuSE-7.0:
      
      e9b4a8a26844af0bc8cb37c8d2d26530

    SuSE-7.0:
      
      e9b4a8a26844af0bc8cb37c8d2d26530

    source rpm:
      
      aaa092ffafe149ef8ba3acf570966e09



______________________________________________________________________________

2)  Pending vulnerabilities in SuSE Distributions and Workarounds:

    - Kmail remote code execution.
      This issue will be adressed in following advisories.

    - pgp4pine bufferoverflow.
      Very unlikely to be exploited, but next advisories will
      contain information on this as well as URL's for patches.

______________________________________________________________________________

3)  standard appendix:

    SuSE runs two security mailing lists to which any interested party may
    subscribe:

    suse-security@suse.com
        -   general/linux/SuSE security discussion.
            All SuSE security announcements are sent to this list.
            To subscribe, send an email to
                <suse-security-subscribe@suse.com>.

    suse-security-announce@suse.com
        -   SuSE's announce-only mailing list.
            Only SuSE's security annoucements are sent to this list.
            To subscribe, send an email to
                <suse-security-announce-subscribe@suse.com>.

    For general information or the frequently asked questions (faq)
    send mail to:
        <suse-security-info@suse.com> or
        <suse-security-faq@suse.com> respectively.

    ==============================================    SuSE's security contact is <security@suse.com>.
    ==============================================
Regards,
Sebastian Krahmer

______________________________________________________________________________

______________________________________________________________________________ SuSE Security Announcement Package: kdesu Announcement-ID: SuSE-SA:2001:02 Date: Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4, 7.0 Vulnerability Type: local root compromise Severity (1-10): 3 SuSE default package: yes Other affected systems: All KDE 1 & KDE 2 systems Content of this advisory: 1) security vulnerability resolved: kdesu problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information kdesu is a KDE frontend for su(1). When invoked it prompts for the root password and runs su(1). kdesu itself does not run setuid/setgid. However when enabling the 'keep password' option it tries to send the password across process boundaries to kdesud via a UNIX socket. During this it does not verify the identity of the listener on the other end. This allows attackers to obtain the root password. This bug has been fixed in the update packages by checking the ownership of the socket on the listener side. Download the update package from locations desribed below and install the package with the command `rpm -Uhv file.rpm'. The md5sum for each file is in the line below. You can verify the integrity of the rpm files using the command `rpm --checksig --nogpg file.rpm', independently from the md5 signatures below. i386 Intel Platform: SuSE-6.1: 3d51f84f2dc87916bc937f3afe507c1a SuSE-6.1: 3d51f84f2dc87916bc937f3afe507c1a source rpm: f8764afd475fa7a41c18603d15ce48ab SuSE-6.2: 027617e19c957b1ed5f42f140b62521b SuSE-6.2: 027617e19c957b1ed5f42f140b62521b source rpm: 9cf3d4b0c00db4598968dd5c7e07eef7 SuSE-6.3: d2b6c6f3330a20c2eb7d5500de2f9df6 SuSE-6.3: d2b6c6f3330a20c2eb7d5500de2f9df6 source rpm: a50cc8ba1a793f9151559454fdad0a14 SuSE-6.4: 8f06dd49bdc00dca25eff33a3754ddee SuSE-6.4: 8f06dd49bdc00dca25eff33a3754ddee source rpm: 0ca2d30cf51d1307f88581d4e240bbf0 SuSE-7.0: c7238ea5775939239b3857b550ca9f1b SuSE-7.0: c7238ea5775939239b3857b550ca9f1b source rpm: bc74c75ba0b514f7df4f0250ccc7454a Sparc Platform: AXP Alpha Platform: SuSE-6.1: 8017cd7fed463cae4bef3fa471e7e1d8 SuSE-6.1: 8017cd7fed463cae4bef3fa471e7e1d8 source rpm: 78846e4ae3f50e9264e8840da1a628a8 SuSE-6.3: cf1629ba236c0c84e0f2b33101b5f1aa SuSE-6.3: cf1629ba236c0c84e0f2b33101b5f1aa source rpm: da851ebaee36cb91cb1e1fca0c8bfda2 SuSE-6.4: d1904cc9db320ea2c576b73633ee6bd5 SuSE-6.4: d1904cc9db320ea2c576b73633ee6bd5 source rpm: 27261cf8ff0ea66a597520260b832f7d SuSE-7.0: be3b258eeeb3c56351b93ec8a32826db SuSE-7.0: be3b258eeeb3c56351b93ec8a32826db source rpm: b7e3139377784c5cbbc4f14a5061d124 PPC Power PC Platform: SuSE-6.4: 705afa4defc64c48f89dd94b2d52c296 SuSE-6.4: 705afa4defc64c48f89dd94b2d52c296 source rpm: 32e626fa7e8206d6803957c77062185b SuSE-7.0: e9b4a8a26844af0bc8cb37c8d2d26530 SuSE-7.0: e9b4a8a26844af0bc8cb37c8d2d26530 source rpm: aaa092ffafe149ef8ba3acf570966e09 ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - Kmail remote code execution. This issue will be adressed in following advisories. - pgp4pine bufferoverflow. Very unlikely to be exploited, but next advisories will contain information on this as well as URL's for patches. ______________________________________________________________________________ 3) standard appendix: SuSE runs two security mailing lists to which any interested party may subscribe: suse-security@suse.com - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe@suse.com>. suse-security-announce@suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe@suse.com>. For general information or the frequently asked questions (faq) send mail to: <suse-security-info@suse.com> or <suse-security-faq@suse.com> respectively. ============================================== SuSE's security contact is <security@suse.com>. ============================================== Regards, Sebastian Krahmer ______________________________________________________________________________

Get the Latest News & Insights

SuSE: 'kdesu' vulnerability

Summary

References

Related News

Get the Latest News & Insights

News

Advisories

HOWTOs

Features

About Us

Powered By