[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#327039: marked as done (CAN-2005-2494: Insecure lockfile handling permits potential local root privilege escalation)

Your message dated Fri, 16 Sep 2005 19:32:13 -0700
with message-id <E1EGSUv-0003N2-00@spohr.debian.org>
and subject line Bug#327039: fixed in kdebase 4:3.4.2-3
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 7 Sep 2005 08:23:16 +0000
>From jmm@inutil.org Wed Sep 07 01:23:16 2005
Return-path: <jmm@inutil.org>
Received: from (vserver151.vserver151.serverflex.de) [193.22.164.111] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1ECvD9-0002QK-00; Wed, 07 Sep 2005 01:23:16 -0700
Received: from wlan-client-281.informatik.uni-bremen.de ([134.102.117.31] helo=localhost.localdomain)
	by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32)
	(Exim 4.50)
	id 1ECvD5-000371-6n
	for submit@bugs.debian.org; Wed, 07 Sep 2005 10:23:11 +0200
Received: from jmm by localhost.localdomain with local (Exim 4.52)
	id 1ECvDm-0001Zz-W9; Wed, 07 Sep 2005 10:23:55 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CAN-2005-2494: Insecure lockfile handling permits potential local root
 privilege escalation
X-Mailer: reportbug 3.17
Date: Wed, 07 Sep 2005 10:23:54 +0200
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
Message-Id: <[🔎] E1ECvDm-0001Zz-W9@localhost.localdomain>
X-SA-Exim-Connect-IP: 134.102.117.31
X-SA-Exim-Mail-From: jmm@inutil.org
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
	X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02

Package: kdebase-bin
Version: 3.4.2-2
Severity: grave
Tags: security
Justification: user security hole

Please see http://www.kde.org/info/security/advisory-20050905-1.txt for details
and a patch.
 
Cheers,
        Moritz
-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc5
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

---------------------------------------
Received: (at 327039-close) by bugs.debian.org; 17 Sep 2005 02:38:24 +0000
>From katie@spohr.debian.org Fri Sep 16 19:38:24 2005
Return-path: <katie@spohr.debian.org>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
	id 1EGSUv-0003N2-00; Fri, 16 Sep 2005 19:32:13 -0700
From: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
To: 327039-close@bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#327039: fixed in kdebase 4:3.4.2-3
Message-Id: <E1EGSUv-0003N2-00@spohr.debian.org>
Sender: Archive Administrator <katie@spohr.debian.org>
Date: Fri, 16 Sep 2005 19:32:13 -0700
Delivered-To: 327039-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 2

Source: kdebase
Source-Version: 4:3.4.2-3

We believe that the bug you reported is fixed in the latest version of
kdebase, which is due to be installed in the Debian FTP archive:

kappfinder_3.4.2-3_i386.deb
  to pool/main/k/kdebase/kappfinder_3.4.2-3_i386.deb
kate_3.4.2-3_i386.deb
  to pool/main/k/kdebase/kate_3.4.2-3_i386.deb
kcontrol_3.4.2-3_i386.deb
  to pool/main/k/kdebase/kcontrol_3.4.2-3_i386.deb
kdebase-bin_3.4.2-3_i386.deb
  to pool/main/k/kdebase/kdebase-bin_3.4.2-3_i386.deb
kdebase-data_3.4.2-3_all.deb
  to pool/main/k/kdebase/kdebase-data_3.4.2-3_all.deb
kdebase-dev_3.4.2-3_i386.deb
  to pool/main/k/kdebase/kdebase-dev_3.4.2-3_i386.deb
kdebase-doc-html_3.4.2-3_all.deb
  to pool/main/k/kdebase/kdebase-doc-html_3.4.2-3_all.deb
kdebase-doc_3.4.2-3_all.deb
  to pool/main/k/kdebase/kdebase-doc_3.4.2-3_all.deb
kdebase-kio-plugins_3.4.2-3_i386.deb
  to pool/main/k/kdebase/kdebase-kio-plugins_3.4.2-3_i386.deb
kdebase_3.4.2-3.diff.gz
  to pool/main/k/kdebase/kdebase_3.4.2-3.diff.gz
kdebase_3.4.2-3.dsc
  to pool/main/k/kdebase/kdebase_3.4.2-3.dsc
kdebase_3.4.2-3_all.deb
  to pool/main/k/kdebase/kdebase_3.4.2-3_all.deb
kdepasswd_3.4.2-3_i386.deb
  to pool/main/k/kdebase/kdepasswd_3.4.2-3_i386.deb
kdeprint_3.4.2-3_i386.deb
  to pool/main/k/kdebase/kdeprint_3.4.2-3_i386.deb
kdesktop_3.4.2-3_i386.deb
  to pool/main/k/kdebase/kdesktop_3.4.2-3_i386.deb
kdm_3.4.2-3_i386.deb
  to pool/main/k/kdebase/kdm_3.4.2-3_i386.deb
kfind_3.4.2-3_i386.deb
  to pool/main/k/kdebase/kfind_3.4.2-3_i386.deb
khelpcenter_3.4.2-3_i386.deb
  to pool/main/k/kdebase/khelpcenter_3.4.2-3_i386.deb
kicker_3.4.2-3_i386.deb
  to pool/main/k/kdebase/kicker_3.4.2-3_i386.deb
klipper_3.4.2-3_i386.deb
  to pool/main/k/kdebase/klipper_3.4.2-3_i386.deb
kmenuedit_3.4.2-3_i386.deb
  to pool/main/k/kdebase/kmenuedit_3.4.2-3_i386.deb
konqueror-nsplugins_3.4.2-3_i386.deb
  to pool/main/k/kdebase/konqueror-nsplugins_3.4.2-3_i386.deb
konqueror_3.4.2-3_i386.deb
  to pool/main/k/kdebase/konqueror_3.4.2-3_i386.deb
konsole_3.4.2-3_i386.deb
  to pool/main/k/kdebase/konsole_3.4.2-3_i386.deb
kpager_3.4.2-3_i386.deb
  to pool/main/k/kdebase/kpager_3.4.2-3_i386.deb
kpersonalizer_3.4.2-3_i386.deb
  to pool/main/k/kdebase/kpersonalizer_3.4.2-3_i386.deb
ksmserver_3.4.2-3_i386.deb
  to pool/main/k/kdebase/ksmserver_3.4.2-3_i386.deb
ksplash_3.4.2-3_i386.deb
  to pool/main/k/kdebase/ksplash_3.4.2-3_i386.deb
ksysguard_3.4.2-3_i386.deb
  to pool/main/k/kdebase/ksysguard_3.4.2-3_i386.deb
ksysguardd_3.4.2-3_i386.deb
  to pool/main/k/kdebase/ksysguardd_3.4.2-3_i386.deb
ktip_3.4.2-3_i386.deb
  to pool/main/k/kdebase/ktip_3.4.2-3_i386.deb
kwin_3.4.2-3_i386.deb
  to pool/main/k/kdebase/kwin_3.4.2-3_i386.deb
libkonq4-dev_3.4.2-3_i386.deb
  to pool/main/k/kdebase/libkonq4-dev_3.4.2-3_i386.deb
libkonq4_3.4.2-3_i386.deb
  to pool/main/k/kdebase/libkonq4_3.4.2-3_i386.deb
xfonts-konsole_3.4.2-3_all.deb
  to pool/main/k/kdebase/xfonts-konsole_3.4.2-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 327039@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> (supplier of updated kdebase package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 16 Sep 2005 16:59:45 -0400
Source: kdebase
Binary: kdesktop kcontrol kpersonalizer kdm kdebase-doc-html klipper kappfinder kdebase-doc kdebase kmenuedit kicker libkonq4 konqueror-nsplugins kdebase-bin kdebase-dev ksplash kdeprint libkonq4-dev kwin kdepasswd ksmserver kfind kdebase-kio-plugins kpager khelpcenter xfonts-konsole kate ksysguard konqueror ktip ksysguardd kdebase-data konsole
Architecture: source i386 all
Version: 4:3.4.2-3
Distribution: unstable
Urgency: low
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Description: 
 kappfinder - non-KDE application finder for KDE
 kate       - advanced text editor for KDE
 kcontrol   - control center for KDE
 kdebase    - base components from the official KDE release
 kdebase-bin - core binaries for the KDE base module
 kdebase-data - shared data files for the KDE base module
 kdebase-dev - development files for the KDE base module
 kdebase-doc - developer documentation for the KDE base module
 kdebase-doc-html - KDE base documentation in HTML format
 kdebase-kio-plugins - core I/O slaves for KDE
 kdepasswd  - password changer for KDE
 kdeprint   - print system for KDE
 kdesktop   - miscellaneous binaries and files for the KDE desktop
 kdm        - X display manager for KDE
 kfind      - file-find utility for KDE
 khelpcenter - help center for KDE
 kicker     - desktop panel for KDE
 klipper    - clipboard utility for KDE
 kmenuedit  - menu editor for KDE
 konqueror  - KDE's advanced file manager, web browser and document viewer
 konqueror-nsplugins - Netscape plugin support for Konqueror
 konsole    - X terminal emulator for KDE
 kpager     - desktop pager for KDE
 kpersonalizer - installation personalizer for KDE
 ksmserver  - session manager for KDE
 ksplash    - the KDE splash screen
 ksysguard  - system guard for KDE
 ksysguardd - system guard daemon for KDE
 ktip       - useful tips for KDE
 kwin       - the KDE window manager
 libkonq4   - core libraries for Konqueror
 libkonq4-dev - development files for Konqueror's core libraries
 xfonts-konsole - fonts used by the KDE's Konsole
Closes: 326542 327039 327191
Changes: 
 kdebase (4:3.4.2-3) unstable; urgency=low
 .
   * KDE_3_4_BRANCH update (up to r458655). This includes a fix for a local
     root exploit, CAN-2005-2494, in the kcheckpass binary (Closes: #327039)
 .
   +++ Changes by Christopher Martin:
 .
   * Add a NEWS entry that explains the KDM upgrade process for users moving
     from KDM 3.3.x, as well as KDM's new behaviour regarding login scripts.
     (Closes: #326542, #327191)
 .
   * Add a patch from the "Improving KDE" set that eliminates a superfluous
     border around kicker's systray that appeared on mouseover.
 .
   * Add another "Improving KDE" patch that allows the selection of a special
     tranparent selection rectangle (off by default) to be made from the
     Control Center's Style module. Temporarily bump our kdelibs build-depends,
     to ensure that we build against a similarly patched Qt and kdelibs.
Files: 
 d506c8221901f45ad5a5935df36b85a9 1720 kde optional kdebase_3.4.2-3.dsc
 c6c8a30a44557d9a1f40bf91d4cf0d40 1622488 kde optional kdebase_3.4.2-3.diff.gz
 7a60627b7737bec1de3d101c26a0e476 31752 kde optional kdebase_3.4.2-3_all.deb
 2b04fe1e575bb4a600a3e7bbc3e474cb 5729692 kde optional kdebase-data_3.4.2-3_all.deb
 793f0ad80122ab1458136360eed19e6a 3806652 doc optional kdebase-doc_3.4.2-3_all.deb
 32fce2255896a2606df54ff1b3dd33f0 339204 doc optional kdebase-doc-html_3.4.2-3_all.deb
 47c1dd177bdc43480be241dd31c4b37a 47966 x11 optional xfonts-konsole_3.4.2-3_all.deb
 c49e3d2a9784fcddefac4df68ef7ddfb 261086 kde optional kappfinder_3.4.2-3_i386.deb
 690941b2ea2364748927d6012034fa00 628406 editors optional kate_3.4.2-3_i386.deb
 cc15a0ef37bfc1d15270b83dbfc8c459 7835498 kde optional kcontrol_3.4.2-3_i386.deb
 4d3c108e8585a3a61237c10505d60cdc 1056382 kde optional kdebase-bin_3.4.2-3_i386.deb
 bc213321a770e406a4faa02167f2744d 71122 devel optional kdebase-dev_3.4.2-3_i386.deb
 bc7d598ef6b3ec2fb5a04b55c07c14e5 737204 kde optional kdebase-kio-plugins_3.4.2-3_i386.deb
 4734d40233085d1fdd3e2c289177b468 231602 utils optional kdepasswd_3.4.2-3_i386.deb
 423b28034c0f8b50b99a1b12dc5ef7ca 1107464 utils optional kdeprint_3.4.2-3_i386.deb
 cb3f144d1c00a578c098c5ac08ab94ff 737524 kde optional kdesktop_3.4.2-3_i386.deb
 3c87f91a17b3cee06c505375e26b9c44 607444 kde optional kdm_3.4.2-3_i386.deb
 33d7a6ee475ee4828054e6bc771dc281 187322 utils optional kfind_3.4.2-3_i386.deb
 8ec428014c875c22e6841d278d3c8bac 1787512 kde optional khelpcenter_3.4.2-3_i386.deb
 66d437cf78c7711c6a69643919819397 1710388 kde optional kicker_3.4.2-3_i386.deb
 463f42a3d1df02bf8b060fadabf653b3 243910 kde optional klipper_3.4.2-3_i386.deb
 96b629d36a362fd85552ab53800b9d2b 211488 kde optional kmenuedit_3.4.2-3_i386.deb
 4783f62922a27dd6b44ac3d6d8449a07 2013460 web optional konqueror_3.4.2-3_i386.deb
 7da64cd0989fde7d1dbdddcc87db14fb 131852 utils optional konqueror-nsplugins_3.4.2-3_i386.deb
 25f101b1807c9959b312e02c76e5b4f7 581260 kde optional konsole_3.4.2-3_i386.deb
 6d97ed73441b48c81bdfc2543af1738c 105530 kde optional kpager_3.4.2-3_i386.deb
 978fc89536fd000fe670289bafa6930f 479826 kde optional kpersonalizer_3.4.2-3_i386.deb
 9e6688bfb6782b931c70f5d86e51c003 145780 kde optional ksmserver_3.4.2-3_i386.deb
 5fa7eee0c31cfb25374fc3e7edc56352 810868 kde optional ksplash_3.4.2-3_i386.deb
 e4586a00c30998a949f4f7ea645bc527 467562 utils optional ksysguard_3.4.2-3_i386.deb
 dca7e705693412cdbba56ff764243cc9 58682 utils optional ksysguardd_3.4.2-3_i386.deb
 28889874155250444046c79c69b2bddd 91270 kde optional ktip_3.4.2-3_i386.deb
 6bdae5953cc6b583227f4076ed902ef1 968090 kde optional kwin_3.4.2-3_i386.deb
 4de2a76041e30a39eead3d1d39220baf 252994 libs optional libkonq4_3.4.2-3_i386.deb
 1a66cc3d27d5ae49baf9f4f497d1ff15 58278 libdevel optional libkonq4-dev_3.4.2-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Signed by Christopher Martin <chrsmrtn@debian.org>

iD8DBQFDK279U+gWW+vtsysRAoDWAJ9jjsCGZFC7NJyKC3IFUqM63MIkRQCfenZq
YyXHj5h2cW0cI7hC1huAoa0=
=IM/J
-----END PGP SIGNATURE-----
Reply to: