https://bugs.kde.org/show_bug.cgi?id=497273
Bug ID: 497273
Summary: Spectacle allows any unprivileged process to capture a
screenshot
Classification: Applications
Product: Spectacle
Version: 24.08.3
Platform: Gentoo Packages
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: General
Assignee: noaha...@gmail.com
Reporter: m...@dblsaiko.net
CC: k...@david-redondo.de
Target Milestone: ---
SUMMARY
Any program can take a screenshot via Spectacle, especially without user
confirmation, which bypasses the security limitations on the screenshot
protocol set by Kwin.
STEPS TO REPRODUCE
1. Exec "spectacle -n -f -b -o out.png" from application that should not have
access to the screen capture API (for example Konsole)
OBSERVED RESULT
Spectacle creates a screenshot
EXPECTED RESULT
Spectacle should respect the access limits of the screen capture API and should
check the permissions of the application trying to make a screenshot, or try to
take a screenshot with the permission context of the calling app in some way
(potentially via the systemd scope it gets run in or something like that, I
think that knows which desktop file it belongs to which sets the permissions).
SOFTWARE/OS VERSIONS
Operating System: Gentoo Linux 2.17
KDE Plasma Version: 6.2.4
KDE Frameworks Version: 6.8.0
Qt Version: 6.8.1
Kernel Version: 6.11.9-gentoo-dist (64-bit)
Graphics Platform: Wayland
Processors: 24 × 13th Gen Intel® Core™ i7-13700F
Memory: 62.6 GiB of RAM
Graphics Processor: AMD Radeon RX 6800 XT
Manufacturer: Micro-Star International Co., Ltd.
Product Name: MS-7D25
System Version: 1.0
ADDITIONAL INFORMATION
--
You are receiving this mail because:
You are watching all bug changes.
