Announcement

Collapse
No announcement yet.

KDE Frameworks 5.61 Fixes The Directory/Desktop File Security Vulnerability

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    KDE Frameworks 5.61 Fixes The Directory/Desktop File Security Vulnerability

    Phoronix: KDE Frameworks 5.61 Fixes The Directory/Desktop File Security Vulnerability

    Out this Sunday is the KDE Frameworks 5.61 update that most notable addresses the recently exposed vulnerability to KDE where specially crafted .desktop and .directory files could automatically execute arbitrary code on users' systems...

    KDE Frameworks 5.61 Fixes The Directory/Desktop File Security Vulnerability - Phoronix
    http://www.phoronix.com/scan.php?page=news_item&px=KDE-Frameworks-5.61-Released
    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
    Tags: None
  • #2
    Fixed... "the entire feature of supporting shell commands in KConfig entries has been removed, because we couldn't find an actual use case for it" https://kde.org/info/security/advisory-20190807-1.txt (and I'm still waiting for them to acknowledge the bug reports I filed when I was a KDE user...)

    Comment

    • #3
      Trinity (TDE) also had that code... I just removed it from tdeconfigbase.cpp and recompiled tdelibs. I didn't want to get fresh sources and rebuild it all so soon (just did a few weeks ago and I like being happy with what I have).

      This has probably been in KDE for the last 15 years or so.
      • Likes 1

      Comment

      • #4

        When reading the related security advisory, I thought, who is still using kdelibs 4.14? And then Grogan posts that he applied a patch to Trinity :-)
        • Likes 2

        Comment

        • #5
          Originally posted by R41N3R View Post
          When reading the related security advisory, I thought, who is still using kdelibs 4.14? And then Grogan posts that he applied a patch to Trinity :-)
          Which uses an even older version of kdelibs (now tdelibs) ;-)

          Comment

          • #6
            KDE 4 is still relevant too, for example Slackware's official KDE packages are still KDE 4.14 in -current:

            Code:
            [SIZE=-1]Thu Aug 8 05:25:56 UTC 2019
kde/kdelibs-4.14.38-x86_64-4.txz: Rebuilt.
       kconfig: malicious .desktop files (and others) would execute code.
       For more information, see:
       https://mail.kde.org/pipermail/kde-announce/2019-August/000047.html
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14744
       (* Security fix *)[/SIZE]


            (Note that AlienBob provides good Plasma 5 packages and all their dependencies on Slackware so it's not like you're stuck with that)
            • Likes 1

            Comment

            Previous template Next
            Working...
            X