https://bugs.kde.org/show_bug.cgi?id=443911
Bug ID: 443911
Summary: Joystick KCM device path handling is borked
Product: systemsettings
Version: 5.23.0
Platform: Neon Packages
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: kcm_joystick
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
SUMMARY
The Joystick KCM tries to ensure that paths entered into the Device field are
within the "/dev" directory. However it fails to do so. It has two significant
issues:
1. Path truncation.
When an entered path has a "/dev" subpath somewhere in the middle, the path
gets truncated. For example "/your/long/path/dev/joy0" gets truncated to
"/dev/joy0" and the KCM tries to use this incorrect path instead of throwing an
error that the specified path is outside of "/dev".
2. Path canonicalization.
The KCM doesn't canonicalize paths to check if they are indeed under "/dev",
it's vulnerable to path traversals. For example it happily accepts
"/dev/../your/path" as a valid path despite being outside of "/dev".
SOFTWARE/OS VERSIONS
Operating System: KDE neon 5.23
KDE Plasma Version: 5.23.0
KDE Frameworks Version: 5.87.0
Qt Version: 5.15.3
--
You are receiving this mail because:
You are watching all bug changes.
