https://bugzilla.novell.com/show_bug.cgi?id=794705
https://bugzilla.novell.com/show_bug.cgi?id=794705#c5
--- Comment #5 from Sebastian Krahmer 2013-06-04 03:04:15 UTC ---
I cannot see that it exposes any DBUS services, it seems to
be somehow started as plugin (probably by some other DBUS
service) and just checks for org.kde.kcontrol.kcmlightdm.save.
As this is auth_admin_keep, it can get that polkit permission.
However the greeter itself seems to be vulnerable to race condition:
void GreeterWindow::screenshot()
{
QPixmap pix = QPixmap::grabWindow(winId());
QString path =
QDir::temp().absoluteFilePath("lightdm-kde-greeter-screenshot.png");
bool ok = pix.save(path);
if (ok) {
kDebug() << "Saved screenshot as" << path;
} else {
kWarning() << "Failed to save screenshot as" << path;
}
}
looks like you can smash arbitrary files with this
(Ctrl+Alt+S for screendump), depending on how safe QPixmap handles
its files, but I doubt its secure.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.