FEDORA-2019-f9f78895c3

security update in Fedora 30 for kdelibs3

Status: stable 4 days ago

This update fixes CVE-2019-14744 (kconfig arbitrary shell code execution) in the KDE 3 compatibility version of kdelibs used by legacy KDE 3 applications.

The full list of fixes in this kdelibs3 build:

  • fixes CVE-2019-14744 - kconfig: malicious .desktop files (and others) would execute code. KConfig had a well-meaning feature that allowed configuration files to execute arbitrary shell commands. Unfortunately, this could be abused by untrusted .desktop files to execute arbitrary code as the target user, without the user even running the .desktop file. Therefore, this update removes that ill-fated feature. (Backported by Kevin Kofler from upstream: kf5-kconfig fix by David Faure, kdelibs 4 backport by Kai Uwe Broulik.)
  • adds native support for xdg-user-dirs for Desktop and Documents, without shelling out to xdg-user-dir from the config file. This is needed due to the above security fix. (This feature was previously implemented in the Fedora kde-settings by shelling out to xdg-user-dir from the config file using the KConfig feature removed above.) (Backported by Kevin Kofler from Trinity Desktop / Timothy Pearson.)
  • fixes a KJS double-free that could crash legacy KDE 3 applications such as Quanta Plus when trying to execute JavaScript. (Backported by OpenSUSE / Wolfgang Bauer from Trinity Desktop / Timothy Pearson.)

Comments 9

This update has been submitted for testing by kkofler.

This update's test gating status has been changed to 'waiting'.

This update's test gating status has been changed to 'ignored'.

This update has been pushed to testing.

This update's test gating status has been changed to 'greenwave_failed'.

This update's test gating status has been changed to 'ignored'.

kkofler edited this update.

This update has been submitted for stable by kkofler.

This update has been pushed to stable.

Add Comment & Feedback

Please login to add feedback.

Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
security
Update Severity
urgent
Karma
0
stable threshold: 1
unstable threshold: -10
Autopush (karma)
Disabled
Autopush (time)
Disabled
Dates
submitted 13 days ago
in testing 12 days ago
in stable 4 days ago
modified 11 days ago

Related Bugs 1

00 #1740138 CVE-2019-14744 kdelibs: malicious desktop files and configuration files lead to code execution with minimal user interaction

Automated Test Results