Feedback from SUSE security team
Copy/paste from https://bugzilla.suse.com/show_bug.cgi?id=1217183#c2
I am through with the review. The codebase for this PAM module can surely use a lot of love to make it clean and proper. Security wise no show stoppers are found in there, although there is a TOCTOU issue regarding the use of the XDG_RUNTIME_DIR directory. It seems like this cannot be usefully exploited though.
To improve readability and handling I share my review findings in a GitHub PR# here:
https://github.com/mgerstner/reviews/pull/1/commits/2aff49872fbb42b4187560cd034bd225bda45636
Maybe someone upstream can be found to address at least the more problematic issues like the missing free() or the missing rename from kwallet5 to kwallet 6. Otherwise there's quite a lot of inconsistency, redundancy and incompletess found in this small piece of code.
It would be a good candidate for a major refactoring or a rewrite in C++ (why wasn't C++ used here anyway since all the rest of KDE uses it?).
The upstream commit I reviewed here is c0b0ce07. Once the KDE6 release is drawing near I will do a short follow-up review of any additional changes and whitelist the package.