stable

kdelibs3-3.5.10-101.fc29

FEDORA-2019-9f2ee52c88 created by kkofler 5 years ago for Fedora 29

This update fixes CVE-2019-14744 (kconfig arbitrary shell code execution) in the KDE 3 compatibility version of kdelibs used by legacy KDE 3 applications.

The full list of fixes in this kdelibs3 build:

  • fixes CVE-2019-14744 - kconfig: malicious .desktop files (and others) would execute code. KConfig had a well-meaning feature that allowed configuration files to execute arbitrary shell commands. Unfortunately, this could be abused by untrusted .desktop files to execute arbitrary code as the target user, without the user even running the .desktop file. Therefore, this update removes that ill-fated feature. (Backported by Kevin Kofler from upstream: kf5-kconfig fix by David Faure, kdelibs 4 backport by Kai Uwe Broulik.)
  • adds native support for xdg-user-dirs for Desktop and Documents, without shelling out to xdg-user-dir from the config file. This is needed due to the above security fix. (This feature was previously implemented in the Fedora kde-settings by shelling out to xdg-user-dir from the config file using the KConfig feature removed above.) (Backported by Kevin Kofler from Trinity Desktop / Timothy Pearson.)
  • fixes a KJS double-free that could crash legacy KDE 3 applications such as Quanta Plus when trying to execute JavaScript. (Backported by OpenSUSE / Wolfgang Bauer from Trinity Desktop / Timothy Pearson.)

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2019-9f2ee52c88

This update has been submitted for testing by kkofler.

5 years ago

This update's test gating status has been changed to 'waiting'.

5 years ago

This update's test gating status has been changed to 'ignored'.

5 years ago

This update has been pushed to testing.

5 years ago

This update's test gating status has been changed to 'greenwave_failed'.

5 years ago

This update's test gating status has been changed to 'ignored'.

5 years ago

kkofler edited this update.

5 years ago

This update can be pushed to stable now if the maintainer wishes

5 years ago

This update has been submitted for stable by kkofler.

5 years ago

This update has been pushed to stable.

5 years ago

Please login to add feedback.

Metadata
Type
security
Severity
urgent
Karma
0
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-10
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
5 years ago
in testing
5 years ago
in stable
5 years ago
modified
5 years ago
BZ#1740138 CVE-2019-14744 kdelibs: malicious desktop files and configuration files lead to code execution with minimal user interaction
0
0

Automated Test Results