GLSA-200606-23 : KDM: Symlink vulnerability

This script is Copyright (C) 2006-2014 Tenable Network Security, Inc.


Synopsis :

The remote Gentoo host is missing one or more security-related
patches.

Description :

The remote host is affected by the vulnerability described in GLSA-200606-23
(KDM: Symlink vulnerability)

Ludwig Nussel discovered that KDM could be tricked into allowing users
to read files that would otherwise not be readable.

Impact :

A local attacker could exploit this issue to obtain potentially
sensitive information that is usually not accessable to the local user
such as shadow files or other user's files. The default Gentoo user
running KDM is root and, as a result, the local attacker can read any
file.

Workaround :

There is no known workaround at this time.

See also :

http://www.kde.org/info/security/advisory-20060614-1.txt
http://www.gentoo.org/security/en/glsa/glsa-200606-23.xml

Solution :

All kdebase users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose kde-base/kdebase
All KDE split ebuild users should upgrade to the latest KDM version:
# emerge --sync
# emerge --ask --oneshot --verbose kde-base/kdm

Risk factor :

Medium / CVSS Base Score : 4.0
(CVSS2#AV:L/AC:H/Au:N/C:C/I:N/A:N)

Family: Gentoo Local Security Checks

Nessus Plugin ID: 21743 (gentoo_GLSA-200606-23.nasl)

Bugtraq ID:

CVE ID: CVE-2006-2449