Announcement

Collapse
No announcement yet.

KDE Frameworks 5.61 Fixes The Directory/Desktop File Security Vulnerability

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • KDE Frameworks 5.61 Fixes The Directory/Desktop File Security Vulnerability

    Phoronix: KDE Frameworks 5.61 Fixes The Directory/Desktop File Security Vulnerability

    Out this Sunday is the KDE Frameworks 5.61 update that most notable addresses the recently exposed vulnerability to KDE where specially crafted .desktop and .directory files could automatically execute arbitrary code on users' systems...

    http://www.phoronix.com/scan.php?pag...-5.61-Released

  • #2
    Fixed... "the entire feature of supporting shell commands in KConfig entries has been removed, because we couldn't find an actual use case for it" https://kde.org/info/security/advisory-20190807-1.txt (and I'm still waiting for them to acknowledge the bug reports I filed when I was a KDE user...)

    Comment


    • #3
      Trinity (TDE) also had that code... I just removed it from tdeconfigbase.cpp and recompiled tdelibs. I didn't want to get fresh sources and rebuild it all so soon (just did a few weeks ago and I like being happy with what I have).

      This has probably been in KDE for the last 15 years or so.

      Comment


      • #4

        When reading the related security advisory, I thought, who is still using kdelibs 4.14? And then Grogan posts that he applied a patch to Trinity :-)

        Comment


        • #5
          Worst part is that similar bugs must be expected.

          Comment


          • #6
            Originally posted by R41N3R View Post
            When reading the related security advisory, I thought, who is still using kdelibs 4.14? And then Grogan posts that he applied a patch to Trinity :-)
            Which uses an even older version of kdelibs (now tdelibs) ;-)

            Comment


            • #7
              KDE 4 is still relevant too, for example Slackware's official KDE packages are still KDE 4.14 in -current:

              Code:
              Thu Aug 8 05:25:56 UTC 2019
              kde/kdelibs-4.14.38-x86_64-4.txz: Rebuilt.
                     kconfig: malicious .desktop files (and others) would execute code.
                     For more information, see:
                     https://mail.kde.org/pipermail/kde-announce/2019-August/000047.html
                     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14744
                     (* Security fix *)


              (Note that AlienBob provides good Plasma 5 packages and all their dependencies on Slackware so it's not like you're stuck with that)

              Comment

              Working...
              X