By default, Bugzilla does not search the list of RESOLVED bugs.
You can force it to do so by putting the upper-case word ALL in front of your search query, e.g.: ALL tdelibs
We recommend searching for bugs this way, as you may discover that your bug has already been resolved and fixed in a later release.
Bug 189 - SECURITY: CVE-2010-0436 (kdm race condition)
Summary: SECURITY: CVE-2010-0436 (kdm race condition)
Status: RESOLVED FIXED
Alias: None
Product: TDE
Classification: Unclassified
Component: tdebase (show other bugs)
Version: 3.5.11 [Trinity]
Hardware: Other Other
: P1 major
Assignee: Timothy Pearson
URL:
Depends on:
Blocks:
 
Reported: 2010-04-20 07:56 CDT by jm82an4zn1
Modified: 2012-10-19 15:40 CDT (History)
2 users (show)

See Also:
Compiler Version:
TDE Version String:
Application Version:
Application Name:

Attachments
Patch file of revision 1097263 (3.19 KB, patch)
2010-04-21 09:54 CDT, Timothy Pearson 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description jm82an4zn1 2010-04-20 07:56:59 CDT 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0436
http://www.kde.org/info/security/advisory-20100413-1.txt

patch [1] proposed for KDE4 applies only in part mainly because of different build system, but it is trivial enough to be adapted, I have no knowledge with kdm internals, otherwise I'd post a patch.

[1]: ftp://ftp.kde.org/pub/kde/security_patches/kdebase-workspace-4.3.5-CVE-2010-0436.diff
Comment 1 Timothy Pearson 2010-04-20 21:03:03 CDT 
Fixed in SVN revision 1117056.

Thanks for reporting!
Comment 2 Timothy Pearson 2010-04-21 09:53:29 CDT 
> SVN commit 1117056 by tpearson:
> 
> Part 2 of 2 of security patch for KDM [CVE-2010-0436]
> 
that won't compile on solaris. you need to backport r1097263 as well.
Comment 3 Timothy Pearson 2010-04-21 09:54:06 CDT 
Created attachment 18 [details]
Patch file of revision 1097263
Comment 4 Timothy Pearson 2010-04-21 13:58:52 CDT 
SVN revision 1097263 backported, compilation on Linux checks out as OK.