{"update": {"autokarma": false, "autotime": false, "stable_karma": 1, "stable_days": 14, "unstable_karma": -10, "require_bugs": false, "require_testcases": false, "display_name": "", "notes": "This update fixes **CVE-2019-14744 (kconfig arbitrary shell code execution)** in the compatibility library `kdelibs` 4 used by legacy applications (not yet ported to KDE Frameworks 5). The included `kde-settings` update removes obsolete settings that conflict with the security fix and are no longer needed (see below for details).\n\nThe full list of fixes in the `kdelibs` 4 build:\n\n* fixes **CVE-2019-14744 (#1740138, #1740140)** \u2013 `kconfig`: malicious `.desktop` files (and others) would execute code. KConfig had a well-meaning feature that allowed configuration files to execute arbitrary shell commands. Unfortunately, this could be abused by untrusted `.desktop` files to execute arbitrary code as the target user, without the user even running the `.desktop` file. Therefore, this update removes that ill-fated feature. (Patch from upstream: `kf5-kconfig` fix by David Faure, `kdelibs` 4 backport by Kai Uwe Broulik.)\n* fixes **#917848** \u2013 removes support for the `gamin` file watching service which is unmaintained and buggy and can lead to application lockups. KDirWatch now relies exclusively on `inotify` (directly). (Packaging fix by Rex Dieter.)\n* fixes **#1730770** \u2013 removes an unused dependency on the obsolete `xf86misc` library. (Packaging fix by Kevin Kofler.)\n\nThe fixes in the `kde-settings` build remove settings that were calling `xdg-user-dir`, because the above CVE-2019-14744 fix drops support for running shell commands from configuration files from KConfig and because the settings are all no longer needed (because they either only reproduce default behavior or were commented out):\n\n* `/usr/share/kde-settings/kde-profile/default/share/config/kdeglobals`, `/usr/share/kde-settings/kde-profile/minimal/share/config/kdeglobals`: Remove the `[Paths]` section. The `Desktop` and `Documents` directories that were set there are already detected by default by `kdelibs` 4 (it has native support for xdg-user-dirs and does not need the external `xdg-user-dir` command invocation), and now also by `kdelibs3 >= 3.5.10-101` (which has native xdg-user-dirs support backported). The `Trash` setting was already commented out.\n* `/usr/share/kde-settings/kde-profile/default/xdg/baloofilerc`: Delete the commented-out `folders` setting that attempts to call `xdg-user-dir`.", "type": "security", "status": "stable", "request": null, "severity": "urgent", "suggest": "logout", "locked": false, "pushed": true, "critpath": true, "critpath_groups": null, "close_bugs": false, "date_submitted": "2019-08-12 22:42:03", "date_modified": null, "date_approved": null, "date_testing": "2019-08-13 01:51:03", "date_stable": "2019-08-14 01:04:58", "alias": "FEDORA-2019-a746ac9c89", "test_gating_status": "ignored", "from_tag": null, "date_pushed": "2019-08-14 01:04:58", "meets_testing_requirements": true, "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2019-a746ac9c89", "title": "kde-settings-30.3-1.fc30 kdelibs-4.14.38-15.fc30", "version_hash": "43942810c485e352f8c7e0aaf59ced93ce594a75", "release": {"name": "F30", "long_name": "Fedora 30", "version": "30", "id_prefix": "FEDORA", "branch": "f30", "dist_tag": "f30", "stable_tag": "f30-updates", "testing_tag": "f30-updates-testing", "candidate_tag": "f30-updates-candidate", "pending_signing_tag": "f30-signing-pending", "pending_testing_tag": "f30-updates-testing-pending", "pending_stable_tag": "f30-updates-pending", "override_tag": "f30-override", "mail_template": "fedora_errata_template", "state": "archived", "composed_by_bodhi": true, "create_automatic_updates": false, "package_manager": "dnf", "testing_repository": "updates-testing", "released_on": null, "eol": null, "critpath_mandatory_days_in_testing": 14, "mandatory_days_in_testing": 7, "critpath_min_karma": 2, "min_karma": 1, "setting_status": null}, "user": {"name": "kkofler", "email": "kevin@tigcc.ticalc.org", "id": 886, "avatar": "https://seccdn.libravatar.org/avatar/8cd5027da3b6de8f3563cfd2fbb00330466a933ccda53eb004f13303a8c6dea9?s=24&d=retro", "openid": "kkofler.id.fedoraproject.org", "groups": [{"name": "packager"}, {"name": "provenpackager"}, {"name": "ipausers"}, {"name": "fedora-contributor"}, {"name": "signed_fpca"}, {"name": "fedorabugs"}, {"name": "gitspin-kickstarts"}, {"name": "svnkde-settings"}, {"name": "svnfedora-kde-artwork"}, {"name": "gitthemes"}, {"name": "art"}]}, "comments": [{"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for testing by kkofler. ", "timestamp": "2019-08-12 22:42:03", "update_id": 146885, "user_id": 91, "id": 999131, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update's test gating status has been changed to 'waiting'.", "timestamp": "2019-08-12 22:42:03", "update_id": 146885, "user_id": 91, "id": 999132, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update's test gating status has been changed to 'ignored'.", "timestamp": "2019-08-12 22:42:12", "update_id": 146885, "user_id": 91, "id": 999133, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to testing.", "timestamp": "2019-08-13 01:51:39", "update_id": 146885, "user_id": 91, "id": 999247, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 1, "karma_critpath": 0, "text": "works for me", "timestamp": "2019-08-13 18:01:41", "update_id": 146885, "user_id": 2998, "id": 1000088, "bug_feedback": [{"karma": 0, "comment_id": 1000088, "bug_id": 917848, "bug": {"bug_id": 917848, "title": "gam_server deadlocks, leading to all KDE applications hanging", "security": false, "parent": false}}, {"karma": 0, "comment_id": 1000088, "bug_id": 1730770, "bug": {"bug_id": 1730770, "title": "kdelibs-devel requires pkgconfig(xxf86misc) but that's not available in rawhide anymore", "security": false, "parent": false}}, {"karma": 0, "comment_id": 1000088, "bug_id": 1740138, "bug": {"bug_id": 1740138, "title": "CVE-2019-14744 kdelibs: malicious desktop files and configuration files lead to code execution with minimal user interaction", "security": true, "parent": true}}, {"karma": 0, "comment_id": 1000088, "bug_id": 1740140, "bug": {"bug_id": 1740140, "title": "CVE-2019-14744 kdelibs: malicious desktop files and configuration files lead to code execution with minimal user interaction [fedora-all]", "security": true, "parent": false}}], "testcase_feedback": [], "user": {"name": "samoht0", "email": "samoht0-bugzilla@yahoo.com", "id": 2998, "avatar": "https://seccdn.libravatar.org/avatar/4a429e081c6c9f7b9d9cd4a3f4037fc93517c13e17258f8549f2d2f85f0912e7?s=24&d=retro", "openid": "samoht0.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}, {"karma": 1, "karma_critpath": 1, "text": "Works for me..", "timestamp": "2019-08-13 20:05:24", "update_id": 146885, "user_id": 449, "id": 1000171, "bug_feedback": [{"karma": 0, "comment_id": 1000171, "bug_id": 917848, "bug": {"bug_id": 917848, "title": "gam_server deadlocks, leading to all KDE applications hanging", "security": false, "parent": false}}, {"karma": 0, "comment_id": 1000171, "bug_id": 1730770, "bug": {"bug_id": 1730770, "title": "kdelibs-devel requires pkgconfig(xxf86misc) but that's not available in rawhide anymore", "security": false, "parent": false}}, {"karma": 0, "comment_id": 1000171, "bug_id": 1740138, "bug": {"bug_id": 1740138, "title": "CVE-2019-14744 kdelibs: malicious desktop files and configuration files lead to code execution with minimal user interaction", "security": true, "parent": true}}, {"karma": 0, "comment_id": 1000171, "bug_id": 1740140, "bug": {"bug_id": 1740140, "title": "CVE-2019-14744 kdelibs: malicious desktop files and configuration files lead to code execution with minimal user interaction [fedora-all]", "security": true, "parent": false}}], "testcase_feedback": [], "user": {"name": "g6avk", "email": "colin.thomson@g6avk.co.uk", "id": 449, "avatar": "https://seccdn.libravatar.org/avatar/a9a8954c462d35fa59f7eeec4e480384f9d1ec0271262a4530bfbf09340120f5?s=24&d=retro", "openid": "g6avk.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}, {"karma": 0, "karma_critpath": 0, "text": "This update can be pushed to stable now if the maintainer wishes", "timestamp": "2019-08-13 20:06:06", "update_id": 146885, "user_id": 91, "id": 1000172, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for stable by kkofler. ", "timestamp": "2019-08-13 20:45:01", "update_id": 146885, "user_id": 91, "id": 1000203, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to stable.", "timestamp": "2019-08-14 01:05:48", "update_id": 146885, "user_id": 91, "id": 1000364, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}], "builds": [{"nvr": "kdelibs-4.14.38-15.fc30", "signed": true, "release_id": 28, "type": "rpm", "epoch": 6}, {"nvr": "kde-settings-30.3-1.fc30", "signed": true, "release_id": 28, "type": "rpm", "epoch": 0}], "bugs": [{"bug_id": 917848, "title": "gam_server deadlocks, leading to all KDE applications hanging", "security": false, "parent": false, "feedback": [{"karma": 0, "comment_id": 394220, "bug_id": 917848, "comment": {"karma": 0, "karma_critpath": 0, "text": "Looks like, I don't have such a large directory structure, to trigger the bug #917848. But at least no regressions here.\n\nkarma: +1", "timestamp": "2016-02-27 16:09:21", "update_id": 51336, "user_id": 207, "id": 394220, "testcase_feedback": [], "user": {"name": "anonymous", "email": null, "id": 207, "avatar": "https://seccdn.libravatar.org/avatar/37a8eec1ce19687d132fe29051dca629d164e2c4958ba141d5f4133a33f0688f?s=24&d=retro", "openid": "anonymous.id.fedoraproject.org", "groups": []}}}, {"karma": 0, "comment_id": 1000088, "bug_id": 917848, "comment": {"karma": 1, "karma_critpath": 0, "text": "works for me", "timestamp": "2019-08-13 18:01:41", "update_id": 146885, "user_id": 2998, "id": 1000088, "testcase_feedback": [], "user": {"name": "samoht0", "email": "samoht0-bugzilla@yahoo.com", "id": 2998, "avatar": "https://seccdn.libravatar.org/avatar/4a429e081c6c9f7b9d9cd4a3f4037fc93517c13e17258f8549f2d2f85f0912e7?s=24&d=retro", "openid": "samoht0.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 1000171, "bug_id": 917848, "comment": {"karma": 1, "karma_critpath": 1, "text": "Works for me..", "timestamp": "2019-08-13 20:05:24", "update_id": 146885, "user_id": 449, "id": 1000171, "testcase_feedback": [], "user": {"name": "g6avk", "email": "colin.thomson@g6avk.co.uk", "id": 449, "avatar": "https://seccdn.libravatar.org/avatar/a9a8954c462d35fa59f7eeec4e480384f9d1ec0271262a4530bfbf09340120f5?s=24&d=retro", "openid": "g6avk.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}]}, {"bug_id": 1730770, "title": "kdelibs-devel requires pkgconfig(xxf86misc) but that's not available in rawhide anymore", "security": false, "parent": false, "feedback": [{"karma": 0, "comment_id": 1000088, "bug_id": 1730770, "comment": {"karma": 1, "karma_critpath": 0, "text": "works for me", "timestamp": "2019-08-13 18:01:41", "update_id": 146885, "user_id": 2998, "id": 1000088, "testcase_feedback": [], "user": {"name": "samoht0", "email": "samoht0-bugzilla@yahoo.com", "id": 2998, "avatar": "https://seccdn.libravatar.org/avatar/4a429e081c6c9f7b9d9cd4a3f4037fc93517c13e17258f8549f2d2f85f0912e7?s=24&d=retro", "openid": "samoht0.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 1000171, "bug_id": 1730770, "comment": {"karma": 1, "karma_critpath": 1, "text": "Works for me..", "timestamp": "2019-08-13 20:05:24", "update_id": 146885, "user_id": 449, "id": 1000171, "testcase_feedback": [], "user": {"name": "g6avk", "email": "colin.thomson@g6avk.co.uk", "id": 449, "avatar": "https://seccdn.libravatar.org/avatar/a9a8954c462d35fa59f7eeec4e480384f9d1ec0271262a4530bfbf09340120f5?s=24&d=retro", "openid": "g6avk.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}]}, {"bug_id": 1740138, "title": "CVE-2019-14744 kdelibs: malicious desktop files and configuration files lead to code execution with minimal user interaction", "security": true, "parent": true, "feedback": [{"karma": 0, "comment_id": 1000088, "bug_id": 1740138, "comment": {"karma": 1, "karma_critpath": 0, "text": "works for me", "timestamp": "2019-08-13 18:01:41", "update_id": 146885, "user_id": 2998, "id": 1000088, "testcase_feedback": [], "user": {"name": "samoht0", "email": "samoht0-bugzilla@yahoo.com", "id": 2998, "avatar": "https://seccdn.libravatar.org/avatar/4a429e081c6c9f7b9d9cd4a3f4037fc93517c13e17258f8549f2d2f85f0912e7?s=24&d=retro", "openid": "samoht0.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 1000171, "bug_id": 1740138, "comment": {"karma": 1, "karma_critpath": 1, "text": "Works for me..", "timestamp": "2019-08-13 20:05:24", "update_id": 146885, "user_id": 449, "id": 1000171, "testcase_feedback": [], "user": {"name": "g6avk", "email": "colin.thomson@g6avk.co.uk", "id": 449, "avatar": "https://seccdn.libravatar.org/avatar/a9a8954c462d35fa59f7eeec4e480384f9d1ec0271262a4530bfbf09340120f5?s=24&d=retro", "openid": "g6avk.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}]}, {"bug_id": 1740140, "title": "CVE-2019-14744 kdelibs: malicious desktop files and configuration files lead to code execution with minimal user interaction [fedora-all]", "security": true, "parent": false, "feedback": [{"karma": 0, "comment_id": 1000088, "bug_id": 1740140, "comment": {"karma": 1, "karma_critpath": 0, "text": "works for me", "timestamp": "2019-08-13 18:01:41", "update_id": 146885, "user_id": 2998, "id": 1000088, "testcase_feedback": [], "user": {"name": "samoht0", "email": "samoht0-bugzilla@yahoo.com", "id": 2998, "avatar": "https://seccdn.libravatar.org/avatar/4a429e081c6c9f7b9d9cd4a3f4037fc93517c13e17258f8549f2d2f85f0912e7?s=24&d=retro", "openid": "samoht0.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}}, {"karma": 0, "comment_id": 1000171, "bug_id": 1740140, "comment": {"karma": 1, "karma_critpath": 1, "text": "Works for me..", "timestamp": "2019-08-13 20:05:24", "update_id": 146885, "user_id": 449, "id": 1000171, "testcase_feedback": [], "user": {"name": "g6avk", "email": "colin.thomson@g6avk.co.uk", "id": 449, "avatar": "https://seccdn.libravatar.org/avatar/a9a8954c462d35fa59f7eeec4e480384f9d1ec0271262a4530bfbf09340120f5?s=24&d=retro", "openid": "g6avk.id.fedoraproject.org", "groups": [{"name": "ipausers"}, {"name": "signed_fpca"}]}}}]}], "updateid": "FEDORA-2019-a746ac9c89", "karma": 2, "content_type": "rpm", "test_cases": []}, "can_edit": false, "ci_allowed": false}