Summary: | kde-4.10.1: qml-locker allows for browsing local filesystem with "widget lock" | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Franz Trischberger <franz.trischberger> |
Component: | [OLD] KDE | Assignee: | Gentoo KDE team <kde> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | franz.trischberger, kirelagin |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugs.kde.org/show_bug.cgi?id=316893 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=492354 | ||
Whiteboard: | tracking upstream | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 462890 |
Description
Franz Trischberger
2013-03-18 07:50:12 UTC
As a workaround, I've disabled that option in the systemsettings gui in kde-base/systemsettings-4.10.1-r1 and later. That, however, is indeed only a workaround. Keeping the bug open. Why is this a potential attack if someone can see pictures he is allowed to see? (In reply to comment #2) > Why is this a potential attack if someone can see pictures he is allowed to > see? clear the filter (*.png, *.jpeg,...) and you can browse any file. You then can view/delete/rename the whole file system. As upstream mentions he does not now ATM what to do with it this might be a potential attack vector. But I realised something even worse: It is possible to "add widgets" on the locker and also download them through GHNS. Someone simply has to create a malicious script, upload it to kde-look.org, install it on the locker -> bang. Actually, changing the widget configuration is not possible since while the screen is really locked the cashew is not accessible. Nevertheless, add one widget that calls a file dialog... I consider this fixed in Gentoo; I've additionally added rather trivial patches that * prevent building the required binary "plasma-overlay" (kde-base/plasma-workspace-4.10.1-r1) * make sure the plasma=true setting in the config file is ignored (kde-base/ksmserver-4.10.1-r1) (In reply to Andreas K. Hüttel from comment #4) > Actually, changing the widget configuration is not possible since while the > screen is really locked the cashew is not accessible. Nevertheless, add one > widget that calls a file dialog... Probably it's time to revisit this issue? So, it seems that this is not a security issue, but a usability one. One just has to lock widgets before starting to use the lock screen. Adding unsafe widgets is also a user issue. Just don't add unsafe widgets and you're fine. Also, widgets already have to mark themselves as secure for lockscreen. My point is, this is not a good enough reason to completely remove the functionality. |