group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1839432] Re: [CVE] malicious .desktop files (and others) would execute code

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1839432@xxxxxxxxxxxxxxxxxx>
Date: Thu, 15 Aug 2019 16:46:03 -0000
Reply-to: Bug 1839432 <1839432@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package kde4libs - 4:4.14.38-0ubuntu7

---------------
kde4libs (4:4.14.38-0ubuntu7) eoan; urgency=medium

  * SECURITY UPDATE: malicious .desktop files (and others) would execute
    code (LP: #1839432).
    - debian/patches/CVE-2019-14744.diff: removes the affected feature as
      currently 'unused'.
    - CVE-2019-14744
  * Build against OpenSSL 1.1:
    - use Fedora-provided patch backport by Daniel Vrátil and Wolfgang Bauer
    - In Build-Depends, replace libssl1.0-dev by "libssl-dev (>= 1.1)"
  * Mark an additional symbol as optional on ppc64el.

 -- Rik Mills <rikmills@xxxxxxxxxxx>  Thu, 15 Aug 2019 14:10:10 +0100

** Changed in: kde4libs (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1839432

Title:
  [CVE] malicious .desktop files (and others) would execute code

Status in kconfig package in Ubuntu:
  Fix Released
Status in kde4libs package in Ubuntu:
  Fix Released
Status in kconfig source package in Xenial:
  Fix Released
Status in kde4libs source package in Xenial:
  New
Status in kconfig source package in Bionic:
  Fix Released
Status in kde4libs source package in Bionic:
  New
Status in kconfig source package in Disco:
  Fix Released
Status in kde4libs source package in Disco:
  New

Bug description:
  KDE Project Security Advisory
  =============================

  Title:          kconfig: malicious .desktop files (and others) would execute code
  Risk Rating:    High
  CVE:            CVE-2019-14744
  Versions:       KDE Frameworks < 5.61.0
  Date:           7 August 2019

  Overview
  ========
  The syntax Key[$e]=$(shell command) in *.desktop files, .directory files, and configuration files
  (typically found in ~/.config) was an intentional feature of KConfig, to allow flexible configuration.
  This could however be abused by malicious people to make the users install such files and get code
  executed even without intentional action by the user. A file manager trying to find out the icon for
  a file or directory could end up executing code, or any application using KConfig could end up
  executing malicious code during its startup phase for instance.

  After careful consideration, the entire feature of supporting shell commands in KConfig entries has been removed,
  because we couldn't find an actual use case for it. If you do have an existing use for the feature, please
  contact us so that we can evaluate whether it would be possible to provide a secure solution.

  Note that [$e] remains useful for environment variable expansion.

  Solution
  ========
  KDE Frameworks 5 users:
  - update to kconfig >= 5.61.0
  - or apply the following patch to kconfig:
  https://cgit.kde.org/kconfig.git/commit/?id=5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22

  kdelibs users: apply the following patch to kdelibs 4.14:
  https://cgit.kde.org/kdelibs.git/commit/?id=2c3762feddf7e66cf6b64d9058f625a715694a00

  Credits
  =======
  Thanks to Dominik Penner for finding and documenting this issue (we wish however that he would
  have contacted us before making the issue public) and to David Faure for the fix.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kconfig/+bug/1839432/+subscriptions