[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#374002: kdm: [CVE-2006-2449] KDM symlink attack vulnerability

Package: kdm
Version: 4:3.5.3-2
Severity: grave
Tags: security patch
Justification: user security hole

KDM allows the user to select the session type for login. This
setting is permanently stored in the user home directory. By
using a symlink attack, KDM can be tricked into allowing the
user to read file content that would otherwise be unreadable
to this particular user.

See http://www.kde.org/info/security/advisory-20060614-1.txt
(includes patch)

Please mention the CVE-id in the changelog.

Reply to: