Security review of Plasma Login Manager (SUSE Security Team Blog)

SUSE's Security Team has published a detailedblog post on their recent review of the PlasmaLogin Manager version 6.6.2,which was forked from the SDDM displaymanager.

While most of the code remains thesame, the new upstream added a privilegedD-Bus helper calledplasmaloginauthhelper, which suffers from defense-in-depthsecurity issues.

[...] Based on the high severity of the defense-in-depth issuesshown in this report, our assessment is that there is effectively noseparation between root and the plasmalogin service user account.

At this time there is no bugfix available by upstream, but asecurity fix is planned for the next Plasma release on May 12. We havenot been involved in upstream's bugfix process so far and have noknowledge about the approach that will be taken to address the issuesfrom this report.