Oracle Linux 4 / 5 : kdebase (ELSA-2010-0348)

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote Oracle Linux host is missing one or more security updates.

Description :

From Red Hat Security Advisory 2010:0348 :

Updated kdebase packages that fix one security issue are now available
for Red Hat Enterprise Linux 4 and 5.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System
(CVSS) base score, which gives a detailed severity rating, is
available from the CVE link in the References section.

The K Desktop Environment (KDE) is a graphical desktop environment for
the X Window System. The kdebase packages include core applications
for KDE.

A privilege escalation flaw was found in the KDE Display Manager
(KDM). A local user with console access could trigger a race
condition, possibly resulting in the permissions of an arbitrary file
being set to world-writable, allowing privilege escalation.
(CVE-2010-0436)

Red Hat would like to thank Sebastian Krahmer of the SuSE Security
Team for responsibly reporting this issue.

Users of KDE should upgrade to these updated packages, which contain a
backported patch to correct this issue. The system should be rebooted
for this update to take effect. After the reboot, administrators
should manually remove all leftover user-owned dmctl-* directories in
'/var/run/xdmctl/'.

See also :

https://oss.oracle.com/pipermail/el-errata/2010-April/001437.html
https://oss.oracle.com/pipermail/el-errata/2010-April/001436.html

Solution :

Update the affected kdebase packages.

Risk factor :

Medium / CVSS Base Score : 6.9
(CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)

Family: Oracle Linux Local Security Checks

Nessus Plugin ID: 68031 ()

Bugtraq ID:

CVE ID: CVE-2010-0436