This update fixes CVE-2019-14744 (kconfig arbitrary shell code execution) in the compatibility library kdelibs 4 used by legacy applications (not yet ported to KDE Frameworks 5). The included kde-settings update removes obsolete settings that conflict with the security fix and are no longer needed (see below for details).

The full list of fixes in the kdelibs 4 build:

  • fixes CVE-2019-14744 (#1740138, #1740140)kconfig: malicious .desktop files (and others) would execute code. KConfig had a well-meaning feature that allowed configuration files to execute arbitrary shell commands. Unfortunately, this could be abused by untrusted .desktop files to execute arbitrary code as the target user, without the user even running the .desktop file. Therefore, this update removes that ill-fated feature. (Patch from upstream: kf5-kconfig fix by David Faure, kdelibs 4 backport by Kai Uwe Broulik.)
  • fixes #917848 – removes support for the gamin file watching service which is unmaintained and buggy and can lead to application lockups. KDirWatch now relies exclusively on inotify (directly). (Packaging fix by Rex Dieter.)
  • fixes #1730770 – removes an unused dependency on the obsolete xf86misc library. (Packaging fix by Kevin Kofler.)

The fixes in the kde-settings build remove settings that were calling xdg-user-dir, because the above CVE-2019-14744 fix drops support for running shell commands from configuration files from KConfig and because the settings are all no longer needed (because they either only reproduce default behavior or were commented out):

  • /usr/share/kde-settings/kde-profile/default/share/config/kdeglobals, /usr/share/kde-settings/kde-profile/minimal/share/config/kdeglobals: Remove the [Paths] section. The Desktop and Documents directories that were set there are already detected by default by kdelibs 4 (it has native support for xdg-user-dirs and does not need the external xdg-user-dir command invocation), and now also by kdelibs3 >= 3.5.10-101 (which has native xdg-user-dirs support backported). The Trash setting was already commented out.
  • /usr/share/kde-settings/kde-profile/default/xdg/baloofilerc: Delete the commented-out folders setting that attempts to call xdg-user-dir.

Logout Required
After installing this update it is required that you logout of your current user session and log back in to ensure the changes supplied by this update are applied properly.

How to install

sudo dnf upgrade --advisory=FEDORA-2019-a746ac9c89

This update has been submitted for testing by kkofler.

4 months ago

This update's test gating status has been changed to 'waiting'.

4 months ago

This update's test gating status has been changed to 'ignored'.

4 months ago

This update has been pushed to testing.

4 months ago
User Icon samoht0 commented & provided feedback 4 months ago
karma

works for me

User Icon g6avk commented & provided feedback 4 months ago
karma

Works for me..

This update can be pushed to stable now if the maintainer wishes

4 months ago

This update has been submitted for stable by kkofler.

4 months ago

This update has been pushed to stable.

4 months ago

Please login to add feedback.

Metadata
Type
security
Severity
urgent
Karma
2
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-10
Dates
submitted
4 months ago
in testing
4 months ago
in stable
4 months ago
BZ#917848 gam_server deadlocks, leading to all KDE applications hanging
0
0
BZ#1730770 kdelibs-devel requires pkgconfig(xxf86misc) but that's not available in rawhide anymore
0
0
BZ#1740138 CVE-2019-14744 kdelibs: malicious desktop files and configuration files lead to code execution with minimal user interaction
0
0
BZ#1740140 CVE-2019-14744 kdelibs: malicious desktop files and configuration files lead to code execution with minimal user interaction [fedora-all]
0
0

Automated Test Results