This update fixes CVE-2019-14744 (kconfig arbitrary shell code execution) in the KDE 3 compatibility version of kdelibs used by legacy KDE 3 applications.
The full list of fixes in this
.desktopfiles (and others) would execute code. KConfig had a well-meaning feature that allowed configuration files to execute arbitrary shell commands. Unfortunately, this could be abused by untrusted
.desktopfiles to execute arbitrary code as the target user, without the user even running the
.desktopfile. Therefore, this update removes that ill-fated feature. (Backported by Kevin Kofler from upstream:
kf5-kconfigfix by David Faure,
kdelibs4 backport by Kai Uwe Broulik.)
xdg-user-dirfrom the config file. This is needed due to the above security fix. (This feature was previously implemented in the Fedora
kde-settingsby shelling out to
xdg-user-dirfrom the config file using the KConfig feature removed above.) (Backported by Kevin Kofler from Trinity Desktop / Timothy Pearson.)
Please login to add feedback.
|submitted||13 days ago|
|in testing||12 days ago|
|in stable||4 days ago|
|modified||11 days ago|
|0||0||#1740138 CVE-2019-14744 kdelibs: malicious desktop files and configuration files lead to code execution with minimal user interaction|