Bug 1177298

Summary: AUDIT-FIND: plasma5-disks: unsafe path prefix check for /dev
Product: [openSUSE] openSUSE Tumbleweed Reporter: Matthias Gerstner <matthias.gerstner>
Component: SecurityAssignee: Fabian Vogt <fabian>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: fvogt, malte.kraus, matthias.gerstner, opensuse-kde-bugs
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1176742    

Description Matthias Gerstner 2020-10-05 10:52:24 UTC 
+++ This bug was initially created as a clone of Bug #1176742

As outlined in the review discussion in parent bug 1176742, the D-Bus method
org.kde.kded.smart.smartctl uses an insufficient prefix check for input paths.
The attempt to limits paths to files found beneath /dev is lacking, because
file descriptors in /dev/fd/ or symlinks in /dev/shm can be used.

While this shouldn't pose a severe security issue, the logic should be fixed
to avoid copy/paste of such code in the future that then would introduce more
severe issues.

Possible approaches to implement this right are suggested in bug 1176742
comment 3 and bug 1176742 comment 7.
Comment 1 Matthias Gerstner 2020-10-19 12:51:30 UTC 
Fixed by upstream in the meanwhile.