CVE-2019-14744: user/kconfig: malicious .desktop files (and others) would execute code
| Bugzilla ID | 176 |
| Alias(es) | CVE-2019-14744 |
| Reporter | Max Rees (sroracle) |
| Assignee | A. Wilcox (awilfox) |
| Reported | 2019-08-08 14:14:36 -0500 |
| Modified | 2020-03-03 08:22:58 -0600 |
| Status | RESOLVED FIXED |
| Version | 1.0-BETA3 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2019-14744 |
Description
In KDE Frameworks KConfig before 5.61.0, malicious desktop files and
configuration files lead to code execution with minimal user
interaction. This relates to libKF5ConfigCore.so, and the mishandling
of .desktop and .directory files, as demonstrated by a shell command
on an Icon line in a .desktop file.
More information:
https://mail.kde.org/pipermail/kde-announce/2019-August/000047.html
Patch:
https://cgit.kde.org/kconfig.git/commit/?id=5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22
This isn't so much a vulnerability as KDE has decided to remove
intentional functionality that could pose a risk.