(In reply to Rex Dieter from comment #4)
> fwiw, I opened bug #96730 against xdg-utils to track this insecure use of
> KDE_SESSION_VERSION environment variable.
Well, the code is using the variable _exactly as documented_; it is perfectly secure to use it within a session. It is just not secure to transfer the value across trust domains (like pkexec would).
(In reply to Rex Dieter from comment #4)
> fwiw, I opened bug #96730 against xdg-utils to track this insecure use of
> KDE_SESSION_VERSION environment variable.
Well, the code is using the variable _exactly as documented_; it is perfectly secure to use it within a session. It is just not secure to transfer the value across trust domains (like pkexec would).