Bug 25250

Summary: kconfig new security issue CVE-2019-14744
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: geiger.david68210, herman.viaene, sysadmin-bugs, tmb, wilcal.int
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6TOO MGA6-64-OK MGA7-64-OK
Source RPM: kconfig-5.60.0-2.mga8.src.rpm CVE:
Status comment:

Description David Walser 2019-08-09 21:33:56 CEST 
KDE has issued an advisory on August 7:
https://kde.org/info/security/advisory-20190807-1.txt

More details on the issue (with PoC):
https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt

The issue was fixed upstream in 5.61.0.

Mageia 6 is also affected.
David Walser 2019-08-09 21:34:04 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 David Walser 2019-08-12 01:41:38 CEST 
Debian has issued an advisory for this on August 9:
https://www.debian.org/security/2019/dsa-4494
Comment 2 David GEIGER 2019-08-19 09:34:22 CEST 
Fixed for mga7 and Cauldron!

unfortunately it does not apply for mga6!

CC: (none) => geiger.david68210

Comment 3 David Walser 2019-08-19 19:42:45 CEST 
We have 5.42.0 in Mageia 6.  Debian backported the fix all the way to 5.28.0, so you should be able to get something to apply.


Mageia 7 package list:
kconfig-5.57.0-1.1.mga7
libkconfigGui5-5.57.0-1.1.mga7
libkconfigCore5-5.57.0-1.1.mga7
libkconfig-devel-5.57.0-1.1.mga7
David Walser 2019-08-19 19:42:57 CEST

Version: Cauldron => 7
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO

Comment 4 David GEIGER 2019-08-19 20:14:34 CEST 
Done also for mga6!
Comment 5 David Walser 2019-08-19 21:47:17 CEST 
Advisory:
========================

Updated kconfig packages fix security vulnerability:

Dominik Penner discovered that KConfig supported a feature to define shell
command execution in .desktop files. If a user is provided with a malformed
.desktop file (e.g. if it's embedded into a downloaded archive and it gets
opened in a file browser) arbitrary commands could get executed
(CVE-2019-14744).

This update fixes the security issue by removing the shell command feature.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14744
https://www.debian.org/security/2019/dsa-4494
========================

Updated packages in core/updates_testing:
========================
kconfig-5.42.0-1.1.mga6
libkconfigGui5-5.42.0-1.1.mga6
libkconfigCore5-5.42.0-1.1.mga6
libkconfig-devel-5.42.0-1.1.mga6
kconfig-5.57.0-1.1.mga7
libkconfigGui5-5.57.0-1.1.mga7
libkconfigCore5-5.57.0-1.1.mga7
libkconfig-devel-5.57.0-1.1.mga7

from SRPMS:
kconfig-5.42.0-1.1.mga6.src.rpm
kconfig-5.57.0-1.1.mga7.src.rpm

Assignee: kde => qa-bugs

Comment 6 David Walser 2019-08-28 22:24:06 CEST 
Ubuntu has issued an advisory for this on August 16:
https://usn.ubuntu.com/4100-1/
Comment 7 Herman Viaene 2019-09-02 11:39:57 CEST 
MGA6-64 Plasma on Lenovo B50
No installation issues.
No previous updates on this, find no east test case or tutorial on the commands.
Only thing I get:
$ kreadconfig5 
Usage: kreadconfig5 [options]

Options:
  --file <file>      Use <file> instead of global config
  --group <group>    Group to look in. Use repeatedly for nested groups.
  --key <key>        Key to look for
  --default <value>  Default value
  --type <type>      Type of variable

There is no -h or --help or -v.

CC: (none) => herman.viaene

Comment 9 William Kenney 2019-09-12 21:10:37 CEST 
What is the best way to test this?

Thanks

CC: (none) => wilcal.int

Comment 10 David Walser 2019-09-12 23:28:10 CEST 
See the PoC link in Comment 0.
Comment 11 claire robinson 2019-09-13 00:43:55 CEST 
Tested OK mga6 64

Confirmed the PoC. Created ~/test/payload.desktop with..

[Desktop Entry]
Icon[$e]=$(echo${IFS}0>~/Desktop/zero.lol&)

..in it.

Used dolphin to browse to test directory and it created a zero.lol file onthe Desktop.

Removed the zero.lol file, closed dolphin and installed the updates.

Browsed back to ~/test and no zero.lol created.

Whiteboard: MGA6TOO => MGA6TOO mga6-64-ok

Comment 12 Herman Viaene 2019-09-14 11:30:14 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Followed Claire's lead above and confirm that the version 5.57.0-1 creates  the zero.lol file, and with the test update 5.57.0-1.1 it doesn't anymore.
Side note: in both cases deleting (not putting into Trash) the zero.lol file either from the actual desktop or from the ~/Desktop folder causes dolphinto hang.

Whiteboard: MGA6TOO mga6-64-ok => MGA6TOO MGA6-64-OK MGA7-64-OK

Thomas Backlund 2019-09-15 15:29:27 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => tmb, sysadmin-bugs

Comment 13 Mageia Robot 2019-09-15 16:46:37 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0278.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED