This update fixes CVE-2019-14744 (kconfig arbitrary shell code execution) in the KDE 3 compatibility version of kdelibs used by legacy KDE 3 applications.
The full list of fixes in this kdelibs3
build:
kconfig
: malicious .desktop
files (and others) would execute code. KConfig had a well-meaning feature that allowed configuration files to execute arbitrary shell commands. Unfortunately, this could be abused by untrusted .desktop
files to execute arbitrary code as the target user, without the user even running the .desktop
file. Therefore, this update removes that ill-fated feature. (Backported by Kevin Kofler from upstream: kf5-kconfig
fix by David Faure, kdelibs
4 backport by Kai Uwe Broulik.)xdg-user-dir
from the config file. This is needed due to the above security fix. (This feature was previously implemented in the Fedora kde-settings
by shelling out to xdg-user-dir
from the config file using the KConfig feature removed above.) (Backported by Kevin Kofler from Trinity Desktop / Timothy Pearson.)Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2019-9f2ee52c88
Please login to add feedback.
This update has been submitted for testing by kkofler.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'ignored'.
This update has been pushed to testing.
This update's test gating status has been changed to 'greenwave_failed'.
This update's test gating status has been changed to 'ignored'.
kkofler edited this update.
This update can be pushed to stable now if the maintainer wishes
This update has been submitted for stable by kkofler.
This update has been pushed to stable.