<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> <glsa id="200311-01"> <title>kdebase: KDM vulnerabilities</title> <synopsis> A bug in KDM can allow privilege escalation with certain configurations of PAM modules. </synopsis> <product type="ebuild">kdebase</product> <announced>2003-11-15</announced> <revised count="01">2003-11-15</revised> <bug>29406</bug> <access>local / remote</access> <affected> <package name="kde-base/kdebase" auto="yes" arch="*"> <unaffected range="ge">3.1.4</unaffected> <vulnerable range="le">3.1.3</vulnerable> </package> </affected> <background> <p> KDM is the desktop manager included with the K Desktop Environment. </p> </background> <description> <p> Firstly, versions of KDM <=3.1.3 are vulnerable to a privilege escalation bug with a specific configuration of PAM modules. Users who do not use PAM with KDM and users who use PAM with regular Unix crypt/MD5 based authentication methods are not affected. </p> <p> Secondly, KDM uses a weak cookie generation algorithm. Users are advised to upgrade to KDE 3.1.4, which uses /dev/urandom as a non-predictable source of entropy to improve security. </p> </description> <impact type="normal"> <p> A remote or local attacker could gain root privileges. </p> </impact> <workaround> <p> There is no known workaround at this time. </p> </workaround> <resolution> <p> It is recommended that all Gentoo Linux users who are running kde-base/kdebase <=3.1.3 upgrade: </p> <code> # emerge sync # emerge -pv '>=kde-base/kde-3.1.4' # emerge '>=kde-base/kde-3.1.4' # emerge clean</code> </resolution> <references> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0690">CAN-2003-0690</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0692">CAN-2003-0692</uri> <uri link="https://www.kde.org/info/security/advisory-20030916-1.txt">KDE Security Advisory</uri> </references> </glsa>