KDM local DoS with user images

kdebase (4:3.5.8-2ubuntu5) hardy; urgency=low

  * Add kubuntu_9914_kdm_user_image_check.diff from upstream
    fixes potential KDM local DoS if users set an invalid image
    Closes LP: #176347

 -- Jonathan Riddell <email address hidden> Fri, 14 Dec 2007 12:24:17 +0000

Uploaded to *-proposed

Patch is from upstream, although there is no upstream bug entry.

Recreate by settings KDM face image to a file and changing that file to a huge file or a pipe.

Accepted into -proposed, please test.

you can test this with

mkfifo ~/.face.icon

and seeing if kdm still works

I've tried to reproduce this with dapper and gutsy but both works fine what i did was: installed kdm and then test with the command Jonathan commented (mkfifo ~/.face.icon) but i see no changes on KDM, is there something else that should be installed or update the test case? thanks.

You also need to uncomment #FaceSource=PreferUser in /etc/kde3/kdm/kdmrc

Thanks Jonathan that worked. Verification done:

- Test on dapper (4:3.5.2-0ubuntu27.2), edgy (4:3.5.5-0ubuntu3.6), feisty (4:3.5.6-0ubuntu20.7) and gutsy (4:3.5.8-0ubuntu2), after uncomment the FaceSource line at kdmrc, execute "mkfifo ~/.face.icon" and logout the KDM is on an unusable state.

- Test with the proposed packages on dapper (4:3.5.2-0ubuntu27.3),edgy (4:3.5.5-0ubuntu3.7), feisty (4:3.5.6-0ubuntu20.8), gutsy (4:3.5.8-0ubuntu2.1). After following the test case and uncommented again the FaceSource line at kdmrc, execute the "mkfifo ~/.face.icon" and logout of the system, the KDM screen is shown and I'm able to use it, the bug has gone. Thanks you.

Copied to *-updates.