Skip to content

GitLab

  • Menu
Projects Groups Snippets
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • Adélie Package Tree Adélie Package Tree
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 309
    • Issues 309
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 22
    • Merge requests 22
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Releases
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • Adélie Linux
  • Adélie Package TreeAdélie Package Tree
  • Issues
  • #176

Closed
Open
Created Aug 08, 2019 by Emily@emily🤖

user/kconfig: CVE-2019-14744: malicious .desktop files (and others) would execute code

Bugzilla ID 176
Alias(es) CVE-2019-14744
Reporter Max Rees (sroracle)
Assignee A. Wilcox (awilfox)
Reported 2019-08-08 14:14:36 -0500
Modified 2020-03-03 08:22:58 -0600
Status RESOLVED FIXED
Version 1.0-BETA3
Hardware Adélie Linux / All
Importance --- / normal
URL https://nvd.nist.gov/vuln/detail/CVE-2019-14744

Description

In KDE Frameworks KConfig before 5.61.0, malicious desktop files and
configuration files lead to code execution with minimal user
interaction. This relates to libKF5ConfigCore.so, and the mishandling
of .desktop and .directory files, as demonstrated by a shell command
on an Icon line in a .desktop file.

More information:
https://mail.kde.org/pipermail/kde-announce/2019-August/000047.html

Patch:
https://cgit.kde.org/kconfig.git/commit/?id=5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22

This isn't so much a vulnerability as KDE has decided to remove
intentional functionality that could pose a risk.

Edited Feb 02, 2022 by Zach van Rijn
Assignee
Assign to
Time tracking