330602 – security flaw in design of the plasma widgets

Bug 330602 - security flaw in design of the plasma widgets

Summary: security flaw in design of the plasma widgets

Status:	RESOLVED DUPLICATE of bug 316893

Alias:	None

Product:	kscreensaver
Classification:	Unmaintained
Component:	locker-qml (other bugs)
Version First Reported In:	4.11.5
Platform:	Debian unstable Linux

Importance:	NOR major
Target Milestone:	---
Assignee:	Plasma Bugs List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-01-31 07:50 UTC by Ritesh Raj Sarraf
Modified:	2015-01-26 09:21 UTC (History)
CC List:	0 users

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Ritesh Raj Sarraf 2014-01-31 07:50:40 UTC

When using plasma on the lock screen, a user can bypass the lock screen and get access to the user's data (with the permissions inherited from the running user).

All details in this video: https://picasaweb.google.com/lh/photo/PkIjj0jE__Bt92Eh8eBr_dMTjNZETYmyPJy0liipFm0?feat=directlink

Reproducible: Always

Steps to Reproduce:
1. Lock your screen
2. Add a wallpaper / pictrue frame widget to your lock screen
3. Now right click to check the option "Save picture / wallpaper"
4. The file open window gives you full privileges of the running user.
Actual Results:  
Full access to the data using the File Open Interface

Expected Results:  
When called from the lock screen, the access should be limited.

Comment 1 Martin Flöser 2015-01-26 09:21:37 UTC


*** This bug has been marked as a duplicate of bug 316893 ***