Skip to content

plasmacalendarintegration: Fix directory traversal vulnerability in events plugins

Benjamin Flesch requested to merge bf/plasma-workspace:master into master

digital-calendar plasma applet is vulnerable to directory traversal attack which allows an arbitrary .so library file to be leaded as a plasma calendar plugin.

This vulnerability can be triggered via theme files that provide a config for the digital-clock applet which includes enabledCalendarPlugins that uses directory traversal to load arbitrary .so from the filesystem.

This requires write access to user's home or the installation of third party global themes so is not directly exploitable by anything which did not have access already, however it should be fixed regardless.

Edited by David Edmundson

Merge request reports

Loading