[kscreenlocker] [Bug 486352] New: Security issue: Lockscreen unlocked without a password with mysterious "Unlock" button, NoPasswordUnlock.qml in logs

Tue, 30 Apr 2024 09:06:02 -0700 

https://bugs.kde.org/show_bug.cgi?id=486352

            Bug ID: 486352
           Summary: Security issue: Lockscreen unlocked without a password
                    with mysterious "Unlock" button, NoPasswordUnlock.qml
                    in logs
    Classification: Plasma
           Product: kscreenlocker
           Version: 6.0.4
          Platform: Arch Linux
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: general
          Assignee: plasma-b...@kde.org
          Reporter: a...@digitalsignalperson.com
  Target Milestone: ---

SUMMARY
Normally at night I do Super+L to lock my screen, then turn off my monitors. In
the morning I turn on my montiors and move my mouse to see the password prompt.
Today I instead of a password prompt there was a "Unlock" button. When I
clicked it, it unlocked my session without prompting for my password.

It sounds similar to this https://bugs.kde.org/show_bug.cgi?id=484363 but
clicking the button unlocked my session, without asking for a password. And
similarly, it doesn't happen every time (I haven't reproduced it by
locking/unlocking since just observing it now).

The logs had this very sus line: kscreenlocker_greet[582024]:
file:///usr/share/plasma/look-and-feel/org.kde.breeze.desktop/contents/lockscreen/NoPasswordUnlock.qml:26:
ReferenceError: tryToSwitchUser is not defined


STEPS TO REPRODUCE
1. Lock screen at end of day, turn off monitors.
2. Next day turn on monitors, move mouse.
3. Observe "Unlock" button. Click it.

OBSERVED RESULT
Clicking "Unlock" unlocks the session without asking for a password.

EXPECTED RESULT
You should never be able to unlock the session no password or an invalid
password.

SOFTWARE/OS VERSIONS
Operating System: Arch Linux
KDE Plasma Version: 6.0.4
KDE Frameworks Version: 6.1.0
Qt Version: 6.7.0
Kernel Version: 6.8.7-arch1-2 (64-bit)
Graphics Platform: Wayland
Graphics Processor: AMD Radeon RX 6600

ADDITIONAL INFORMATION
This was in the journalctl around when I unlocked it. Note the reference to
"NoPasswordUnlock.qml".

Apr 30 08:47:01 kwin_wayland[6312]: kwin_core: KWin::LayerShellV1Window doesn't
support setting maximized state
Apr 30 08:47:01 kwin_wayland[6312]: kwin_core: KWin::LayerShellV1Window doesn't
support setting fullscreen state
Apr 30 08:47:01 kwin_wayland[6312]: kwin_core: KWin::LayerShellV1Window doesn't
support setting maximized state
Apr 30 08:47:01 kwin_wayland[6312]: kwin_core: KWin::LayerShellV1Window doesn't
support setting fullscreen state
Apr 30 08:47:01 kwin_wayland[6312]: kwin_core: KWin::LayerShellV1Window doesn't
support setting maximized state
Apr 30 08:47:01 kwin_wayland[6312]: kwin_core: KWin::LayerShellV1Window doesn't
support setting fullscreen state
Apr 30 08:47:01 kwin_wayland[6312]: kwin_core: Failed to load cursor theme
"Oxygen_Blue"
Apr 30 08:47:01 kwin_wayland[6312]: kwin_core: Failed to load cursor theme
"Oxygen_Blue"
Apr 30 08:47:01 kscreenlocker_greet[582024]: Data set on unsupported clipboard
mode. QMimeData object will be deleted.
Apr 30 08:47:07 kscreenlocker_greet[582024]:
file:///usr/share/plasma/look-and-feel/org.kde.breeze.desktop/contents/lockscreen/NoPasswordUnlock.qml:26:
ReferenceError: tryToSwitchUser is not defined
Apr 30 08:47:07 kscreenlocker_greet[582024]:
file:///usr/share/plasma/look-and-feel/org.kde.breeze.desktop/contents/lockscreen/NoPasswordUnlock.qml:26:
ReferenceError: tryToSwitchUser is not defined
Apr 30 08:47:07 kscreenlocker_greet[582024]:
file:///usr/share/plasma/look-and-feel/org.kde.breeze.desktop/contents/lockscreen/NoPasswordUnlock.qml:26:
ReferenceError: tryToSwitchUser is not defined
Apr 30 08:47:07 kscreenlocker_greet[582024]:
file:///usr/share/plasma/look-and-feel/org.kde.breeze.desktop/contents/lockscreen/NoPasswordUnlock.qml:26:
ReferenceError: tryToSwitchUser is not defined
Apr 30 08:47:12 kscreenlocker_greet[582024]: qt.qpa.wayland: Could not create
EGL surface (EGL error 0x3000)
Apr 30 08:47:12 kscreenlocker_greet[582024]: qt.qpa.wayland: Could not create
EGL surface (EGL error 0x3000)
Apr 30 08:47:12 kscreenlocker_greet[582024]: qt.qpa.wayland: Could not create
EGL surface (EGL error 0x3000)
Apr 30 08:47:12 kscreenlocker_greet[582024]: qt.qpa.wayland: Could not create
EGL surface (EGL error 0x3000)
Apr 30 08:47:12 kscreenlocker_greet[582024]: Failed to write to the pipe: Bad
file descriptor.
Apr 30 08:47:18 kioworker[650986]: kf.kio.core: An error occurred during write.
The worker terminates now.
Apr 30 08:47:20 systemd[1]: systemd-hostnamed.service: Deactivated
successfully.
Apr 30 08:47:21 kscreenlocker_greet[651083]: Data set on unsupported clipboard
mode. QMimeData object will be deleted.
Apr 30 08:47:21 kscreenlocker_greet[651083]: Data set on unsupported clipboard
mode. QMimeData object will be deleted.
Apr 30 08:47:21 kscreenlocker_greet[651083]: Data set on unsupported clipboard
mode. QMimeData object will be deleted.
Apr 30 08:47:21 kscreenlocker_greet[651083]: Data set on unsupported clipboard
mode. QMimeData object will be deleted.

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to