Bug 66288 (CVE-2005-0396)

Summary:	VUL-0: CVE-2005-0396: KDE DCOP DOS
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Sebastian Krahmer <krahmer>
Component:	Incidents	Assignee:	Adrian Schröter <adrian.schroeter>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P5 - None	CC:	qa-bugs, security-team
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	All
Whiteboard:	CVE-2005-0396: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)
Found By:	Other	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	sample "exploit" secure-ICE-connection.diff

Description Sebastian Krahmer 2005-02-23 10:30:28 UTC

By connecting to the DCOP Unix socket, any user can freeze the KDE system.
Will attach exploit-script. Adrian, can you attach the discussed fix,
so we can keep track of it. I fear we need a full update since KDE
folks wants to make advisory. Feel free to assign to the right person
if I hit the wrong one :)

Comment 1 Sebastian Krahmer 2005-02-23 10:31:39 UTC

Created attachment 28734 [details]
sample "exploit"

...

Comment 2 Adrian Schröter 2005-02-23 10:33:45 UTC

Created attachment 28736 [details]
secure-ICE-connection.diff

fix from Waldo, applied in KDE 3.4

Comment 3 Adrian Schröter 2005-02-23 10:34:52 UTC

Waldo, when do you want to make the anouncement ? Together with 3.4 ?

Comment 4 Sebastian Krahmer 2005-02-23 10:38:47 UTC

Ok, someone has to decide whether we make updates or not. I dont know which
package has to be updated but probably it is kdebase or something,
so quite a lot of bytes for s stupid local DOS.

Comment 5 Adrian Schröter 2005-02-23 10:40:48 UTC

it is kdelibs3 
 
(I would take this chance to fix also a printing issue for 9.2 and to obsolete 
various former patches via releasing almost all subpackages.)

Comment 6 Sebastian Krahmer 2005-02-23 10:46:48 UTC

Ok, then lets do it. The patchinfo-text would be a bit "mixed".

Comment 7 Waldo Bastian 2005-02-23 11:11:58 UTC

Announcement planned for wednesday, march 16.

Comment 8 Waldo Bastian 2005-03-02 14:31:14 UTC

[Note that the patches mentioned below are the same as 
https://bugzilla.innerweb.novell.com/attachment.cgi?id=28736] 
  
Disclosure date: 14:00 CET March 16, 2005  
  
KDE Security Advisory: Local DCOP denial of service vulnerability  
Original Release Date: 20050316  
URL: http://www.kde.org/info/security/advisory-20050316-1.txt  
  
0. References  
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0396  
  
  
1. Systems affected:  
  
        All KDE version prior to KDE 3.4 on systems where multiple users  
        have access.  
  
  
2. Overview:  
  
        Sebastian Krahmer of the SUSE LINUX Security Team reported a local  
        denial of service vulnerability in KDE's Desktop Communication  
        Protocol (DCOP) daemon better known as dcopserver.  
  
        A local user can lock up the dcopserver of arbitrary other users  
        on the same machine by stalling the DCOP authentication process.  
  
        Although it is not possible to by pass the authentication process  
        this way, it can cause a significant reduction in desktop  
        functionality for the affected users.  
  
        The Common Vulnerabilities and Exposures project (cve.mitre.org)  
        has assigned the name CAN-2005-0396 to this issue.  
  
        
3. Impact:  
  
        A local user can lock up the dcopserver of arbitrary other users  
        on the same machine. This can cause a significant reduction in  
        desktop functionality for the affected users including, but not  
        limited to, the inability to browse the internet and the inability  
        to start new applications.  
  
  
4. Solution:  
  
        Upgrade to KDE 3.4.  
  
        For older versions of KDE Source code patches have been made  
        available which fix these vulnerabilities. Contact your OS vendor /  
        binary package provider for information about how to obtain updated  
        binary packages.  
  
  
5. Patch:  
  
        A patch for KDE 3.1.x is available from  
        ftp://ftp.kde.org/pub/kde/security_patches  
  
        377c49d8224612fbf09f70f3c09d52f5  post-3.1.5-kdelibs-dcop.patch  
  
        A patch for KDE 3.2.x is available from  
        ftp://ftp.kde.org/pub/kde/security_patches  
  
        0948701bffb082c65784dc8a2b648ef0  post-3.2.3-kdelibs-dcop.patch  
  
        A patch for KDE 3.3.x is available from  
        ftp://ftp.kde.org/pub/kde/security_patches  
  
        7309e259ae1f29be08bbb70e580da3fb  post-3.3.2-kdelibs-dcop.patch  
  
  
6. Time line and credits:  
  
        21/02/2005 KDE Security informed by SUSE LINUX.  
        21/02/2005 Patches applied to KDE CVS.  
        02/03/2005 Vendors notified  
        16/03/2005 KDE Security Advisory released.

Comment 9 Sebastian Krahmer 2005-03-02 15:11:32 UTC

Ok, fix is in STABLE? Will be in SL 9.3 right?

Comment 10 Adrian Schröter 2005-03-02 15:21:30 UTC

we will have KDE 3.4, yes ;)

Comment 11 Marcus Meissner 2005-03-14 14:26:32 UTC

it is ok to merge in other updates, n o need for an extra update

Comment 12 Adrian Schröter 2005-03-29 17:08:44 UTC

patch applied for 9.1 and newer, but no older yet.

Comment 13 Marcus Meissner 2005-04-11 14:28:19 UTC

updated packages approved.

Comment 14 Thomas Biege 2009-10-13 21:08:15 UTC

CVE-2005-0396: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)