https://bugs.kde.org/show_bug.cgi?id=479184
Bug ID: 479184
Summary: Remove/Restrict Spectacle's nonotify option in the
wayland session context for security reasons
Classification: Applications
Product: Spectacle
Version: 23.08.4
Platform: Other
OS: Linux
Status: REPORTED
Severity: critical
Priority: NOR
Component: General
Assignee: noaha...@gmail.com
Reporter: mosa...@posteo.de
CC: k...@david-redondo.de
Target Milestone: ---
SUMMARY
With the --nonotify option it is possible to call Spectacle as a background
process and take screenshots whithout informing the user about this. This is a
potential security flaw from my perspective.
One of the benefits of Wayland is that apps can't just get pixels from other
apps without permission from the user (e.g. xdg portal use from within web
browsers for screen sharing). In almost all Linux distributions, that provide a
KDE Plasma session, spectacle is pre-installed and thus could be called from a
potential malicious app to work around the security concepts of the wayland
implementation.
SOFTWARE/OS VERSIONS
Operating System: Fedora Linux 39
KDE Plasma Version: 5.27.10
KDE Frameworks Version: 5.111.0
Qt Version: 5.15.11
Kernel Version: 6.6.7-200.fc39.x86_64 (64-bit)
Graphics Platform: Wayland
--
You are receiving this mail because:
You are watching all bug changes.
