Headline
CVE-2022-27815: Releases · waycrate/swhkd
SWHKD 1.1.5 unsafely uses the /tmp/swhkd.pid pathname. There can be an information leak or denial of service.
Thanks to @uncomfyhalomacro who packaged swhkd from open suse repos, a multitude of security vulnerabilities were discovered by @mgerstner which primarily arose due to my incompetence and lack of careful review of all pull requests. I apologize for this.
The following CVE’s have been fixed in this release:
CVE-2022-27815
CVE-2022-27814
CVE-2022-27819
CVE-2022-27818
CVE-2022-27816
Only CVE-2022-27817 remains as it is a genuinely difficult problem to solve for us right now. After a short conversation with Kenny Levinsen ( author of seatd ) we came to the conclusion that it’s not possible to get access of a seat without complete control of the session hence any compositor which is launched after swhkd won’t work. We can however get the fd’s of the devices, release the seat, and then pass it along to evdev but that will require a complete application rewrite.
@mgerstner did suggest to try systemd context switching with elogind for supporting various inits. As far as I can tell this implementation will have a time complexity of O(2^n) so as the number of seats increase, swhkd will start to lag because there is a considerable amount of cold start to swhkd after which the application runs fine.
I’d also like to point out that the above solution will NOT be portable. Distributions that decide to not build elogind support into their init systems will not be able to run swhkd and hence it’s not a path that I’d fancy even if it were to fix the problem.
For now CVE-2022-27817 will probably remain stale. For single user ( single seat ) systems swhkd will function just fine.