|| ||Dirk Mueller <mueller-AT-kde.org>|
|| ||[kde-announce] [KDE Security Advisory] KDM passwordless login
|| ||Wed, 19 Sep 2007 16:23:58 +0200|
KDE Security Advisory: KDM passwordless login vulnerability
Original Release Date: 2007-09-19
1. Systems affected:
· KDM as shipped with KDE 3.3.0 up to including 3.5.7. KDE 3.2.x and
· older and newer versions than KDE 3.5.7 are not affected.·
· KDM can be tricked into performing a password-less login even for
· accounts with a password set under certain circumstances, namely
autologin to be configured and "shutdown with password" enabled.
This vulnerability was discovered and reported by Kees Huijgen.
· KDM might allow a normal user to login as another user or even
· root without properly supplying login credentials.
Source code patches have been made available which fix these
vulnerabilities. Contact your OS vendor / binary package provider
for information about how to obtain updated binary packages.
A patch for KDE 3.5.0 - KDE 3.5.7 is available from
A patch for KDE 3.3.0 - KDE 3.4.2 is available from
kde-announce mailing list
to post comments)