CVE-2013-4132

Publication date 16 September 2013

Last updated 24 July 2024

KDE-Workspace 4.10.5 and earlier does not properly handle the return value of the glibc 2.17 crypt and pw_encrypt functions, which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via (1) an invalid salt or a (2) DES or (3) MD5 encrypted password, when FIPS-140 is enable, to KDM or an (4) invalid password to KCheckPass.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
kde-workspace	13.04 raring	Not affected
	12.10 quantal	Not affected
	12.04 LTS precise	Not affected
	10.04 LTS lucid	Not in release

Notes

seth-arnold

NULL return from crypt() if the salt isn't sane

mdeslaur

This is only an issue on glibc 2.17+, so precise and quantal aren't affected. Also, our kde-workspace packages are compiled with pam support, so they shouldn't be vulnerable.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
kde-workspace	Upstream: https://projects.kde.org/projects/kde/kde-workspace/repository/revisions/45b7f137fbc0b942fd2c9b4e8d8c1f0293e64ba7