CVE-2022-27819: 
Rust vulnerability analysis and mitigation

SWHKD version 1.1.5 contained a vulnerability (CVE-2022-27819) that allowed parsing of arbitrary files through the -c command line parameter. The vulnerability was discovered in March 2022 and affected the daemon component of SWHKD, a hotkey helper for the Wayland graphics system (OSS Security).

The vulnerability existed in the daemon's handling of the -c parameter, which allowed the complete reading of any file passed to it. When running with root privileges via pkexec, the daemon could access and process any privileged file on the system. While the daemon would only output contents if it detected hotkey definitions, the parsing of arbitrary files could lead to memory exhaustion and high I/O load, particularly when processing large files like block devices (OSS Security).

The vulnerability could lead to two main impacts: 1) Information leakage through the parsing of privileged files, though this was limited by the requirement for the content to match hotkey definition syntax, and 2) Denial of service through memory exhaustion and high I/O load when parsing large files or block devices (OSS Security).

The vulnerability was fixed in version 1.2.0 by implementing privilege dropping to the invoking user's level. The fix was implemented through a commit that added functionality to drop privileges to the invoking user when reading configuration files (GitHub Commit, GitHub Release).

The vulnerability was discovered during a security review by the SUSE security team when the software was being packaged for openSUSE Tumbleweed. The discovery led to a broader security audit that revealed multiple other security issues in the software (OSS Security).