Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 462152 - kde-4.10.1: qml-locker allows for browsing local filesystem with "widget lock"
Summary: kde-4.10.1: qml-locker allows for browsing local filesystem with "widget lock"
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] KDE (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo KDE team
URL: https://bugs.kde.org/show_bug.cgi?id=...
Whiteboard: tracking upstream
Keywords:
Depends on:
Blocks: 462890
  Show dependency tree
 
Reported: 2013-03-18 07:50 UTC by Franz Trischberger
Modified: 2014-03-31 08:11 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Franz Trischberger 2013-03-18 07:50:12 UTC 
https://bugs.kde.org/show_bug.cgi?id=316893

Just add this to track upstream and as potential blocker for kde-4.10.x stabilization.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2013-03-25 22:14:47 UTC 
As a workaround, I've disabled that option in the systemsettings gui in kde-base/systemsettings-4.10.1-r1 and later. 

That, however, is indeed only a workaround. Keeping the bug open.
Comment 2 Ulenrich 2013-03-25 23:48:42 UTC 
Why is this a potential attack if someone can see pictures he is allowed to see?
Comment 3 Franz Trischberger 2013-03-26 06:16:31 UTC 
(In reply to comment #2)
> Why is this a potential attack if someone can see pictures he is allowed to
> see?
clear the filter (*.png, *.jpeg,...) and you can browse any file. You then can view/delete/rename the whole file system. As upstream mentions he does not now ATM what to do with it this might be a potential attack vector.

But I realised something even worse: It is possible to "add widgets" on the locker and also download them through GHNS.
Someone simply has to create a malicious script, upload it to kde-look.org, install it on the locker -> bang.
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2013-03-26 22:31:57 UTC 
Actually, changing the widget configuration is not possible since while the screen is really locked the cashew is not accessible. Nevertheless, add one widget that calls a file dialog...

I consider this fixed in Gentoo; I've additionally added rather trivial patches that 
* prevent building the required binary "plasma-overlay" (kde-base/plasma-workspace-4.10.1-r1)
* make sure the plasma=true setting in the config file is ignored (kde-base/ksmserver-4.10.1-r1)
Comment 5 Kirill Elagin 2014-03-31 08:11:33 UTC 
(In reply to Andreas K. Hüttel from comment #4)
> Actually, changing the widget configuration is not possible since while the
> screen is really locked the cashew is not accessible. Nevertheless, add one
> widget that calls a file dialog...

Probably it's time to revisit this issue?
So, it seems that this is not a security issue, but a usability one. One just has to lock widgets before starting to use the lock screen.
Adding unsafe widgets is also a user issue. Just don't add unsafe widgets and you're fine. Also, widgets already have to mark themselves as secure for lockscreen.

My point is, this is not a good enough reason to completely remove the functionality.