Skip to content

馃崚plasmacalendarintegration: Fix directory traversal vulnerability in events plugins

Fushan Wen requested to merge work/cherry-pick-6cdf4291 into Plasma/6.0

digital-calendar plasma applet is vulnerable to directory traversal attack which allows an arbitrary .so library file to be leaded as a plasma calendar plugin.

This vulnerability can be triggered via theme files that provide a config for the digital-clock applet which includes enabledCalendarPlugins that uses directory traversal to load arbitrary .so from the filesystem.

This requires write access to user's home or the installation of third party global themes so is not directly exploitable by anything which did not have access already, however it should be fixed regardless.

(cherry picked from commit 6cdf4291)

Merge request reports

Loading