RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Created attachment 1164531 [details]
Steps to Reproduce the issue

Description of problem: The KDE screensaver allows users to choose a desktop wallpaper without supplying credentials. The wallpaper chooser dialog provides a way to open an arbitrary file browser. The file browser does not accept keyboard input, but allows the user to clear the filename extension filter and browse to anywhere on the filesystem, including automounted home directories, that the current session owner has permissions over. Moreover, the file browser contextual menu is functional, allowing the user to move files to Trash or delete. Additionally, the current session owner's KDE file browser settings are not respected, and renders icon thumbnails, including files contained within directories, resulting in automounted network directories being walked and files rendered as previews onto the containing directory icon.

How reproducible: Always


Steps to Reproduce:

Check attached file ( Steps to Reproduce) for detailed steps to reproduce with graphics

Actual results: KDE exposes files of other user's without credentials

Expected results: KDE should not expose files of other user's without credentials

Should be possible to fix. I would recommend adding a password dialog once you try to open the settings when the session is locked.

@Jan, please clarify what you meant by adding a password dialog? I don't see the option in the screensaver setting. Please walk me through the steps.

Fixed in kde-workspace-4.11.19-11.el7. As I said in comment 5, we decided to drop this option completely as it's not really trivial to fix it and make sure that no user information is exposed through the screensaver.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0717