int(447)

Boletines de Vulnerabilidades


Múltiples vulnerabilidades en KDM de Linux / UNIX

Clasificación de la vulnerabilidad

Propiedad Valor
Nivel de Confianza Oficial
Impacto Obtener acceso
Dificultad Avanzado
Requerimientos del atacante Acceso remoto sin cuenta a un servicio exotico

Información sobre el sistema

Propiedad Valor
Fabricante afectado GNU/Linux
Software afectado KDE <= 3.1.3

Descripción

Se han descubierto dos vulnerabilidades en el gestor de conexiones gráficas "KDM" contenido en el entorno KDE de Linux/Unix. Estos fallos residen en la función "pam_setcred()" y en el algoritmo de generación de cookies de sesión de las versiones KDE anteriores a la 3.1.3 y pueden permitir a un usuario malicioso con cuenta en el sistema ganar privilegios de superusuario, o a un atacante remoto secuestrar una sesión activa.

Solución

Aplique los mecanismos de actualización propios de su distribución, o bien obtenga las fuentes del software y compílelo usted mismo


Actualización de software

Parches para las fuentes de KDE
KDE 2.2.2
ftp://ftp.kde.org/pub/kde/security_patches/post-2.2.2-kdebase-kdm.patch
KDE 3.0.5b
ftp://ftp.kde.org/pub/kde/security_patches/post-3.0.5-kdebase-kdm.patch
KDE 3.1.3
ftp://ftp.kde.org/pub/kde/security_patches/post-3.1.3-kdebase-kdm.patch

Red Hat Linux

Red Hat Linux 7.1
i386
ftp://updates.redhat.com/7.1/en/os/i386/kdebase-2.2.2-0.71.5.i386.rpm
ftp://updates.redhat.com/7.1/en/os/kdebase-devel-2.2.2-0.71.5.i386.rpm

Red Hat Linux 7.2
i386
ftp://updates.redhat.com/7.2/en/os/i386/kdebase-2.2.2-11.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/kdebase-devel-2.2.2-11.i386.rpm
ia64
ftp://updates.redhat.com/7.2/en/os/ia64/kdebase-2.2.2-11.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/kdebase-devel-2.2.2-11.ia64.rpm

Red Hat Linux 7.3
i386:
ftp://updates.redhat.com/7.3/en/os/i386:i386/kdebase-3.0.5a-0.73.4.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/kdebase-devel-3.0.5a-0.73.4.i386.rpm

Red Hat Linux 8.0:
i386
ftp://updates.redhat.com/8.0/en/os/i386/kdebase-3.0.5a-9.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/kdebase-devel-3.0.5a-9.i386.rpm

Red Hat Linux 9:
i386
ftp://updates.redhat.com/9/en/os/i386/kdebase-3.1-15.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/kdebase-devel-3.1-15.i386.rpm

Mandrake Linux

Mandrake Linux Corporate Server 2.1
i586
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates/corporate/2.1/RPMS/kdebase-3.0.5a-1.4mdk.i586.rpm
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates/corporate/2.1/RPMS/kdebase-devel-3.0.5a-1.4mdk.i586.rpm
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates/corporate/2.1/RPMS/kdebase-nsplugins-3.0.5a-1.4mdk.i586.rpm
x86_64
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates/x86_64/corporate/2.1/RPMS/kdebase-3.0.5-2.2mdk.x86_64.rpm
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates/x86_64/corporate/2.1/RPMS/kdebase-devel-3.0.5-2.2mdk.x86_64.rpm
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates/x86_64/corporate/2.1/RPMS/kdebase-nsplugins-3.0.5-2.2mdk.x86_64.rpm

Mandrake Linux 9.0
i586
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates/9.0/RPMS/kdebase-3.0.5a-1.4mdk.i586.rpm
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates/9.0/RPMS/kdebase-devel-3.0.5a-1.4mdk.i586.rpm
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates/9.0/RPMS/kdebase-nsplugins-3.0.5a-1.4mdk.i586.rpm

Mandrake Linux 9.1
i586
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates/9.1/RPMS/kdebase-3.1-83.5mdk.i586.rpm
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates/9.1/RPMS/kdebase-devel-3.1-83.5mdk.i586.rpm
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates/9.1/RPMS/kdebase-kdm-3.1-83.5mdk.i586.rpm
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates/9.1/RPMS/kdebase-nsplugins-3.1-83.5mdk.i586.rpm
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates/9.1/RPMS/mdkkdm-9.1-24.2mdk.i586.rpm
PPC
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates/ppc/9.1/RPMS/kdebase-3.1-83.5mdk.ppc.rpm
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates/ppc/9.1/RPMS/kdebase-devel-3.1-83.5mdk.ppc.rpm
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates/ppc/9.1/RPMS/kdebase-kdm-3.1-83.5mdk.ppc.rpm
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates/ppc/9.1/RPMS/kdebase-nsplugins-3.1-83.5mdk.ppc.rpm
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates/ppc/9.1/RPMS/mdkkdm-9.1-24.2mdk.ppc.rpm

Debian Linux

Debian Linux 3.0 "Woody"
Source
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7.dsc
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7.diff.gz
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2.orig.tar.gz
Componentes independientes de arquitectura
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-doc_2.2.2-14.7_all.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdewallpapers_2.2.2-14.7_all.deb
Alpha
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_alpha.deb
ARM
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_arm.deb
Intel IA-32
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_i386.deb
Intel IA-64
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_ia64.deb
HPPA
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_hppa.deb
Motorola 680x0
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_m68k.deb
Big endian MIPS
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_mips.deb
Little endian MIPS
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_mipsel.deb
PowerPC
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_powerpc.deb
IBM S/390
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_s390.deb
Sun Sparc
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_sparc.deb

Identificadores estándar

Propiedad Valor
CVE CAN-2003-0690
CAN-2003-0692
BID

Recursos adicionales

Debian Security Advisory DSA-388
http://www.debian.org/security/2003/dsa-388

Mandrake security advisory MDKSA-2003:091
http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:091

Red Hat security advisory RHSA-2003:269
https://rhn.redhat.com/errata/RHSA-2003-269.html

KDE Security Advisory
http://www.kde.org/info/security/advisory-20030916-1.txt

Histórico de versiones

Versión Comentario Fecha
1.0 Aviso emitido 2003-09-23

Miembros de

Ministerio de Defensa
CNI
CCN
CCN-CERT