https://bugs.kde.org/show_bug.cgi?id=484122
Bug ID: 484122 Summary: [Security Vulnerability] Keyboard input may not be blocked by lock screen Classification: Plasma Product: kwin Version: 6.0.2 Platform: Arch Linux OS: Linux Status: REPORTED Severity: critical Priority: NOR Component: input Assignee: kwin-bugs-n...@kde.org Reporter: unblended_icing...@simplelogin.com Target Milestone: --- SUMMARY I didn't find this bug, but it's observed by a user in Arch Linux CN group. On resuming from hibernation there are brief moments where keyboard inputs are not **reliably** blocked by lock screen but instead sent to the window behind the lock screen. An attacker may abuse this small time-window to bypass the lock screen by using hardware keyboard macro "loginctl unlock-session [Enter]" if the last focused window is a terminal emulator. STEPS TO REPRODUCE 1. Enter hibernation mode (suspend-to-disk) using the power button in Application Launcher 2. Wake up from hibernation 3. Attempt to unlock KDE Plasma by typing the password OBSERVED RESULT (As described by the user who reported this bug) On typing, some keys are not getting captured by KScreenLocker and the first unlock attempt failed for providing wrong password. The user successfully unlocked the session on second attempt, the lock screen is dismissed, and the user found that some of the keyboard input events not captured on first attempt are shown on the focused text box. EXPECTED RESULT No keyboard input event should be allowed to pass-through lock screen ever. SOFTWARE/OS VERSIONS Linux/KDE Plasma: (available in About System) KDE Plasma Version: 6.0.2 KDE Frameworks Version: 6.0.0 Qt Version: 6.6.2 ADDITIONAL INFORMATION It's Wayland session as the user reported. -- You are receiving this mail because: You are watching all bug changes.