Ubuntu
kdebase-workspace package

[CVE-2010-0436] KDM Local Privilege Escalation Vulnerability

Bug #562440 reported by Jonathan Thomas
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kdebase-workspace (Ubuntu)
Fix Released
High
Jonathan Thomas
Intrepid
Fix Released
High
Jamie Strandboge
Jaunty
Fix Released
High
Jamie Strandboge
Karmic
Fix Released
High
Jamie Strandboge
Lucid
Fix Released
High
Jonathan Thomas

Bug Description

Binary package hint: kdebase-workspace

Security advisory: http://www.kde.org/info/security/advisory-20100413-1.txt

The patch: ftp://ftp.kde.org/pub/kde/security_patches/kdebase-workspace-4.3.5-CVE-2010-0436.diff

Affects all currently-supported Kubuntu versions, from Intrepid to Lucid.

Jonathan Thomas (echidnaman)
Changed in kdebase-workspace (Ubuntu):
importance: Undecided → High
status: New → Triaged
Changed in kdebase-workspace (Ubuntu Jaunty):
status: New → Triaged
Changed in kdebase-workspace (Ubuntu Intrepid):
importance: Undecided → High
Changed in kdebase-workspace (Ubuntu Jaunty):
importance: Undecided → High
Changed in kdebase-workspace (Ubuntu Intrepid):
status: New → Triaged
Changed in kdebase-workspace (Ubuntu Karmic):
importance: Undecided → High
status: New → Triaged
Changed in kdebase-workspace (Ubuntu Lucid):
assignee: nobody → Jonathan Thomas (echidnaman)
security vulnerability: no → yes
Jonathan Thomas (echidnaman)
Changed in kdebase-workspace (Ubuntu Lucid):
status: Triaged → In Progress
Jonathan Thomas (echidnaman)
Changed in kdebase-workspace (Ubuntu Lucid):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kdebase-workspace - 4:4.4.2-0ubuntu12

---------------
kdebase-workspace (4:4.4.2-0ubuntu12) lucid; urgency=low

  [ Jonathan Thomas ]
  * Add CVE-2010-0436_fix_kdm_local_exploit.diff from upstream to fix a local
    KDM vulnerability (LP: #562440)

  [ Felix Geyer ]
  * Add kubuntu_119_powerdevil_fix_suspend_twice.diff, fixes PowerDevil
    suspending twice when system is idle.
    http://bugs.kde.org/221637
  * Add kubuntu_120_powerdevil_reset_status_after_idle.diff, fixes PowerDevil
    only suspending once per session.
    http://bugs.kde.org/221648
 -- Jonathan Thomas <email address hidden> Tue, 13 Apr 2010 13:44:39 -0400

Changed in kdebase-workspace (Ubuntu Lucid):
status: Fix Committed → Fix Released
Revision history for this message
Jonathan Riddell (jr) wrote :
Revision history for this message
Jonathan Riddell (jr) wrote :
Revision history for this message
Jonathan Riddell (jr) wrote :
Revision history for this message
Heimen Stoffels (vistaus) wrote :

Good :) But how about 8.10, 9.04 and 9.10?

Revision history for this message
Jonathan Thomas (echidnaman) wrote :

See the patches right above your comment? Just waiting for the security team to upload those.

Jamie Strandboge (jdstrand)
Changed in kdebase-workspace (Ubuntu Intrepid):
status: Triaged → Fix Committed
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in kdebase-workspace (Ubuntu Jaunty):
status: Triaged → Fix Committed
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in kdebase-workspace (Ubuntu Karmic):
status: Triaged → Fix Committed
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kdebase-workspace - 4:4.3.2-0ubuntu7.2

---------------
kdebase-workspace (4:4.3.2-0ubuntu7.2) karmic-security; urgency=low

  * SECURITY UPDATE: KDM Local Privilege Escalation Vulnerability (LP: #562440).
   - Add debian/patches/CVE-2010-0436_fix_kdm_local_exploit.diff
   - kdm/backend/ctrl.c: prevent race condition during user login which could
     allow execution of arbitrary code as root
   - CVE-2010-0436
   - http://www.kde.org/info/security/advisory-20100413-1.txt
 -- Jonathan Riddell <email address hidden> Fri, 16 Apr 2010 19:00:37 +0100

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kdebase-workspace - 4:4.2.2-0ubuntu2.1

---------------
kdebase-workspace (4:4.2.2-0ubuntu2.1) jaunty-security; urgency=low

  * SECURITY UPDATE: KDM Local Privilege Escalation Vulnerability (LP: #562440).
   - Add debian/patches/CVE-2010-0436_fix_kdm_local_exploit.diff
   - kdm/backend/ctrl.c: prevent race condition during user login which could
     allow execution of arbitrary code as root
   - CVE-2010-0436
   - http://www.kde.org/info/security/advisory-20100413-1.txt
 -- Jonathan Riddell <email address hidden> Fri, 16 Apr 2010 19:16:35 +0100

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kdebase-workspace - 4:4.1.4-0ubuntu1~intrepid3.2

---------------
kdebase-workspace (4:4.1.4-0ubuntu1~intrepid3.2) intrepid-security; urgency=low

  * SECURITY UPDATE: KDM Local Privilege Escalation Vulnerability (LP: #562440).
   - Add debian/patches/CVE-2010-0436_fix_kdm_local_exploit.diff
   - kdm/backend/ctrl.c: prevent race condition during user login which could
     allow execution of arbitrary code as root
   - CVE-2010-0436
   - http://www.kde.org/info/security/advisory-20100413-1.txt
 -- Jonathan Riddell <email address hidden> Fri, 16 Apr 2010 19:19:37 +0100

Changed in kdebase-workspace (Ubuntu Intrepid):
status: Fix Committed → Fix Released
Changed in kdebase-workspace (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Changed in kdebase-workspace (Ubuntu Karmic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.