Bug#327039: marked as done (CAN-2005-2494: Insecure lockfile handling permits potential local root privilege escalation)
Your message dated Fri, 16 Sep 2005 19:32:13 -0700
with message-id <E1EGSUv-0003N2-00@spohr.debian.org>
and subject line Bug#327039: fixed in kdebase 4:3.4.2-3
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 7 Sep 2005 08:23:16 +0000
>From jmm@inutil.org Wed Sep 07 01:23:16 2005
Return-path: <jmm@inutil.org>
Received: from (vserver151.vserver151.serverflex.de) [193.22.164.111]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1ECvD9-0002QK-00; Wed, 07 Sep 2005 01:23:16 -0700
Received: from wlan-client-281.informatik.uni-bremen.de ([134.102.117.31] helo=localhost.localdomain)
by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32)
(Exim 4.50)
id 1ECvD5-000371-6n
for submit@bugs.debian.org; Wed, 07 Sep 2005 10:23:11 +0200
Received: from jmm by localhost.localdomain with local (Exim 4.52)
id 1ECvDm-0001Zz-W9; Wed, 07 Sep 2005 10:23:55 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CAN-2005-2494: Insecure lockfile handling permits potential local root
privilege escalation
X-Mailer: reportbug 3.17
Date: Wed, 07 Sep 2005 10:23:54 +0200
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
Message-Id: <[🔎] E1ECvDm-0001Zz-W9@localhost.localdomain>
X-SA-Exim-Connect-IP: 134.102.117.31
X-SA-Exim-Mail-From: jmm@inutil.org
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
Package: kdebase-bin
Version: 3.4.2-2
Severity: grave
Tags: security
Justification: user security hole
Please see http://www.kde.org/info/security/advisory-20050905-1.txt for details
and a patch.
Cheers,
Moritz
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc5
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
---------------------------------------
Received: (at 327039-close) by bugs.debian.org; 17 Sep 2005 02:38:24 +0000
>From katie@spohr.debian.org Fri Sep 16 19:38:24 2005
Return-path: <katie@spohr.debian.org>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1EGSUv-0003N2-00; Fri, 16 Sep 2005 19:32:13 -0700
From: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
To: 327039-close@bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#327039: fixed in kdebase 4:3.4.2-3
Message-Id: <E1EGSUv-0003N2-00@spohr.debian.org>
Sender: Archive Administrator <katie@spohr.debian.org>
Date: Fri, 16 Sep 2005 19:32:13 -0700
Delivered-To: 327039-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 2
Source: kdebase
Source-Version: 4:3.4.2-3
We believe that the bug you reported is fixed in the latest version of
kdebase, which is due to be installed in the Debian FTP archive:
kappfinder_3.4.2-3_i386.deb
to pool/main/k/kdebase/kappfinder_3.4.2-3_i386.deb
kate_3.4.2-3_i386.deb
to pool/main/k/kdebase/kate_3.4.2-3_i386.deb
kcontrol_3.4.2-3_i386.deb
to pool/main/k/kdebase/kcontrol_3.4.2-3_i386.deb
kdebase-bin_3.4.2-3_i386.deb
to pool/main/k/kdebase/kdebase-bin_3.4.2-3_i386.deb
kdebase-data_3.4.2-3_all.deb
to pool/main/k/kdebase/kdebase-data_3.4.2-3_all.deb
kdebase-dev_3.4.2-3_i386.deb
to pool/main/k/kdebase/kdebase-dev_3.4.2-3_i386.deb
kdebase-doc-html_3.4.2-3_all.deb
to pool/main/k/kdebase/kdebase-doc-html_3.4.2-3_all.deb
kdebase-doc_3.4.2-3_all.deb
to pool/main/k/kdebase/kdebase-doc_3.4.2-3_all.deb
kdebase-kio-plugins_3.4.2-3_i386.deb
to pool/main/k/kdebase/kdebase-kio-plugins_3.4.2-3_i386.deb
kdebase_3.4.2-3.diff.gz
to pool/main/k/kdebase/kdebase_3.4.2-3.diff.gz
kdebase_3.4.2-3.dsc
to pool/main/k/kdebase/kdebase_3.4.2-3.dsc
kdebase_3.4.2-3_all.deb
to pool/main/k/kdebase/kdebase_3.4.2-3_all.deb
kdepasswd_3.4.2-3_i386.deb
to pool/main/k/kdebase/kdepasswd_3.4.2-3_i386.deb
kdeprint_3.4.2-3_i386.deb
to pool/main/k/kdebase/kdeprint_3.4.2-3_i386.deb
kdesktop_3.4.2-3_i386.deb
to pool/main/k/kdebase/kdesktop_3.4.2-3_i386.deb
kdm_3.4.2-3_i386.deb
to pool/main/k/kdebase/kdm_3.4.2-3_i386.deb
kfind_3.4.2-3_i386.deb
to pool/main/k/kdebase/kfind_3.4.2-3_i386.deb
khelpcenter_3.4.2-3_i386.deb
to pool/main/k/kdebase/khelpcenter_3.4.2-3_i386.deb
kicker_3.4.2-3_i386.deb
to pool/main/k/kdebase/kicker_3.4.2-3_i386.deb
klipper_3.4.2-3_i386.deb
to pool/main/k/kdebase/klipper_3.4.2-3_i386.deb
kmenuedit_3.4.2-3_i386.deb
to pool/main/k/kdebase/kmenuedit_3.4.2-3_i386.deb
konqueror-nsplugins_3.4.2-3_i386.deb
to pool/main/k/kdebase/konqueror-nsplugins_3.4.2-3_i386.deb
konqueror_3.4.2-3_i386.deb
to pool/main/k/kdebase/konqueror_3.4.2-3_i386.deb
konsole_3.4.2-3_i386.deb
to pool/main/k/kdebase/konsole_3.4.2-3_i386.deb
kpager_3.4.2-3_i386.deb
to pool/main/k/kdebase/kpager_3.4.2-3_i386.deb
kpersonalizer_3.4.2-3_i386.deb
to pool/main/k/kdebase/kpersonalizer_3.4.2-3_i386.deb
ksmserver_3.4.2-3_i386.deb
to pool/main/k/kdebase/ksmserver_3.4.2-3_i386.deb
ksplash_3.4.2-3_i386.deb
to pool/main/k/kdebase/ksplash_3.4.2-3_i386.deb
ksysguard_3.4.2-3_i386.deb
to pool/main/k/kdebase/ksysguard_3.4.2-3_i386.deb
ksysguardd_3.4.2-3_i386.deb
to pool/main/k/kdebase/ksysguardd_3.4.2-3_i386.deb
ktip_3.4.2-3_i386.deb
to pool/main/k/kdebase/ktip_3.4.2-3_i386.deb
kwin_3.4.2-3_i386.deb
to pool/main/k/kdebase/kwin_3.4.2-3_i386.deb
libkonq4-dev_3.4.2-3_i386.deb
to pool/main/k/kdebase/libkonq4-dev_3.4.2-3_i386.deb
libkonq4_3.4.2-3_i386.deb
to pool/main/k/kdebase/libkonq4_3.4.2-3_i386.deb
xfonts-konsole_3.4.2-3_all.deb
to pool/main/k/kdebase/xfonts-konsole_3.4.2-3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 327039@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> (supplier of updated kdebase package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 16 Sep 2005 16:59:45 -0400
Source: kdebase
Binary: kdesktop kcontrol kpersonalizer kdm kdebase-doc-html klipper kappfinder kdebase-doc kdebase kmenuedit kicker libkonq4 konqueror-nsplugins kdebase-bin kdebase-dev ksplash kdeprint libkonq4-dev kwin kdepasswd ksmserver kfind kdebase-kio-plugins kpager khelpcenter xfonts-konsole kate ksysguard konqueror ktip ksysguardd kdebase-data konsole
Architecture: source i386 all
Version: 4:3.4.2-3
Distribution: unstable
Urgency: low
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Description:
kappfinder - non-KDE application finder for KDE
kate - advanced text editor for KDE
kcontrol - control center for KDE
kdebase - base components from the official KDE release
kdebase-bin - core binaries for the KDE base module
kdebase-data - shared data files for the KDE base module
kdebase-dev - development files for the KDE base module
kdebase-doc - developer documentation for the KDE base module
kdebase-doc-html - KDE base documentation in HTML format
kdebase-kio-plugins - core I/O slaves for KDE
kdepasswd - password changer for KDE
kdeprint - print system for KDE
kdesktop - miscellaneous binaries and files for the KDE desktop
kdm - X display manager for KDE
kfind - file-find utility for KDE
khelpcenter - help center for KDE
kicker - desktop panel for KDE
klipper - clipboard utility for KDE
kmenuedit - menu editor for KDE
konqueror - KDE's advanced file manager, web browser and document viewer
konqueror-nsplugins - Netscape plugin support for Konqueror
konsole - X terminal emulator for KDE
kpager - desktop pager for KDE
kpersonalizer - installation personalizer for KDE
ksmserver - session manager for KDE
ksplash - the KDE splash screen
ksysguard - system guard for KDE
ksysguardd - system guard daemon for KDE
ktip - useful tips for KDE
kwin - the KDE window manager
libkonq4 - core libraries for Konqueror
libkonq4-dev - development files for Konqueror's core libraries
xfonts-konsole - fonts used by the KDE's Konsole
Closes: 326542 327039 327191
Changes:
kdebase (4:3.4.2-3) unstable; urgency=low
.
* KDE_3_4_BRANCH update (up to r458655). This includes a fix for a local
root exploit, CAN-2005-2494, in the kcheckpass binary (Closes: #327039)
.
+++ Changes by Christopher Martin:
.
* Add a NEWS entry that explains the KDM upgrade process for users moving
from KDM 3.3.x, as well as KDM's new behaviour regarding login scripts.
(Closes: #326542, #327191)
.
* Add a patch from the "Improving KDE" set that eliminates a superfluous
border around kicker's systray that appeared on mouseover.
.
* Add another "Improving KDE" patch that allows the selection of a special
tranparent selection rectangle (off by default) to be made from the
Control Center's Style module. Temporarily bump our kdelibs build-depends,
to ensure that we build against a similarly patched Qt and kdelibs.
Files:
d506c8221901f45ad5a5935df36b85a9 1720 kde optional kdebase_3.4.2-3.dsc
c6c8a30a44557d9a1f40bf91d4cf0d40 1622488 kde optional kdebase_3.4.2-3.diff.gz
7a60627b7737bec1de3d101c26a0e476 31752 kde optional kdebase_3.4.2-3_all.deb
2b04fe1e575bb4a600a3e7bbc3e474cb 5729692 kde optional kdebase-data_3.4.2-3_all.deb
793f0ad80122ab1458136360eed19e6a 3806652 doc optional kdebase-doc_3.4.2-3_all.deb
32fce2255896a2606df54ff1b3dd33f0 339204 doc optional kdebase-doc-html_3.4.2-3_all.deb
47c1dd177bdc43480be241dd31c4b37a 47966 x11 optional xfonts-konsole_3.4.2-3_all.deb
c49e3d2a9784fcddefac4df68ef7ddfb 261086 kde optional kappfinder_3.4.2-3_i386.deb
690941b2ea2364748927d6012034fa00 628406 editors optional kate_3.4.2-3_i386.deb
cc15a0ef37bfc1d15270b83dbfc8c459 7835498 kde optional kcontrol_3.4.2-3_i386.deb
4d3c108e8585a3a61237c10505d60cdc 1056382 kde optional kdebase-bin_3.4.2-3_i386.deb
bc213321a770e406a4faa02167f2744d 71122 devel optional kdebase-dev_3.4.2-3_i386.deb
bc7d598ef6b3ec2fb5a04b55c07c14e5 737204 kde optional kdebase-kio-plugins_3.4.2-3_i386.deb
4734d40233085d1fdd3e2c289177b468 231602 utils optional kdepasswd_3.4.2-3_i386.deb
423b28034c0f8b50b99a1b12dc5ef7ca 1107464 utils optional kdeprint_3.4.2-3_i386.deb
cb3f144d1c00a578c098c5ac08ab94ff 737524 kde optional kdesktop_3.4.2-3_i386.deb
3c87f91a17b3cee06c505375e26b9c44 607444 kde optional kdm_3.4.2-3_i386.deb
33d7a6ee475ee4828054e6bc771dc281 187322 utils optional kfind_3.4.2-3_i386.deb
8ec428014c875c22e6841d278d3c8bac 1787512 kde optional khelpcenter_3.4.2-3_i386.deb
66d437cf78c7711c6a69643919819397 1710388 kde optional kicker_3.4.2-3_i386.deb
463f42a3d1df02bf8b060fadabf653b3 243910 kde optional klipper_3.4.2-3_i386.deb
96b629d36a362fd85552ab53800b9d2b 211488 kde optional kmenuedit_3.4.2-3_i386.deb
4783f62922a27dd6b44ac3d6d8449a07 2013460 web optional konqueror_3.4.2-3_i386.deb
7da64cd0989fde7d1dbdddcc87db14fb 131852 utils optional konqueror-nsplugins_3.4.2-3_i386.deb
25f101b1807c9959b312e02c76e5b4f7 581260 kde optional konsole_3.4.2-3_i386.deb
6d97ed73441b48c81bdfc2543af1738c 105530 kde optional kpager_3.4.2-3_i386.deb
978fc89536fd000fe670289bafa6930f 479826 kde optional kpersonalizer_3.4.2-3_i386.deb
9e6688bfb6782b931c70f5d86e51c003 145780 kde optional ksmserver_3.4.2-3_i386.deb
5fa7eee0c31cfb25374fc3e7edc56352 810868 kde optional ksplash_3.4.2-3_i386.deb
e4586a00c30998a949f4f7ea645bc527 467562 utils optional ksysguard_3.4.2-3_i386.deb
dca7e705693412cdbba56ff764243cc9 58682 utils optional ksysguardd_3.4.2-3_i386.deb
28889874155250444046c79c69b2bddd 91270 kde optional ktip_3.4.2-3_i386.deb
6bdae5953cc6b583227f4076ed902ef1 968090 kde optional kwin_3.4.2-3_i386.deb
4de2a76041e30a39eead3d1d39220baf 252994 libs optional libkonq4_3.4.2-3_i386.deb
1a66cc3d27d5ae49baf9f4f497d1ff15 58278 libdevel optional libkonq4-dev_3.4.2-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Signed by Christopher Martin <chrsmrtn@debian.org>
iD8DBQFDK279U+gWW+vtsysRAoDWAJ9jjsCGZFC7NJyKC3IFUqM63MIkRQCfenZq
YyXHj5h2cW0cI7hC1huAoa0=
=IM/J
-----END PGP SIGNATURE-----
Reply to: