Bug 25403

Summary: kdelibs4 new security issue CVE-2019-14744
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, bequimao.de, fri, geiger.david68210, herman.viaene, kde, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: kdelibs4-4.14.38-7.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-09-03 21:50:04 CEST 
+++ This bug was initially created as a clone of Bug #25250 +++

KDE has issued an advisory on August 7:
https://kde.org/info/security/advisory-20190807-1.txt

More details on the issue (with PoC):
https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt

The issue was fixed upstream in 5.61.0.

Mageia 6 and Mageia 7 are also affected.

kdelibs4 is also affected.

RedHat has issued an advisory for this today (September 3):
https://access.redhat.com/errata/RHSA-2019:2606
David Walser 2019-09-03 21:50:13 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 David GEIGER 2019-09-04 09:06:00 CEST 
Done for mga6 and mga7 but it fails to build on Cauldron with:

[ 30%] Generating index.cache.bz2
cd /home/iurt/rpmbuild/BUILD/kdelibs-4.14.38/doc/kioslave/data && /home/iurt/rpmbuild/BUILD/kdelibs-4.14.38/build/bin/meinproc4.shell --check --srcdir=/home/iurt/rpmbuild/BUILD/kdelibs-4.14.38/build/kdoctools/ --cache /home/iurt/rpmbuild/BUILD/kdelibs-4.14.38/build/doc/kioslave/data/index.cache.bz2 /home/iurt/rpmbuild/BUILD/kdelibs-4.14.38/doc/kioslave/data/index.docbook
meinproc4: Unexpected argument '/home/iurt/rpmbuild/BUILD/kdelibs-4.14.38/doc/kioslave/data/index.docbook'.
meinproc4: Use --help to get a list of available command line options.
make[2]: *** [doc/kioslave/data/CMakeFiles/doc-kioslave-data-handbook.dir/build.make:66: doc/kioslave/data/index.cache.bz2] Error 254
make[2]: Leaving directory '/home/iurt/rpmbuild/BUILD/kdelibs-4.14.38/build'
make[1]: *** [CMakeFiles/Makefile2:29675: doc/kioslave/data/CMakeFiles/doc-kioslave-data-handbook.dir/all] Error 2
make[1]: *** Waiting for unfinished jobs....
Comment 2 David Walser 2019-09-04 15:56:02 CEST 
Advisory:
========================

Updated kdelibs4 packages fix security vulnerability:

kdelibs: malicious desktop files and configuration files lead to code execution
with minimal user interaction (CVE-2019-14744).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14744
https://kde.org/info/security/advisory-20190807-1.txt
https://access.redhat.com/errata/RHSA-2019:2606
========================

Updated packages in core/updates_testing:
========================
libkde3support4-4.14.35-1.1.mga6
libkdecore5-4.14.35-1.1.mga6
libkdefakes5-4.14.35-1.1.mga6
libkdesu5-4.14.35-1.1.mga6
libkdeui5-4.14.35-1.1.mga6
libkdnssd4-4.14.35-1.1.mga6
libkfile4-4.14.35-1.1.mga6
libkhtml5-4.14.35-1.1.mga6
libkimproxy4-4.14.35-1.1.mga6
libkio5-4.14.35-1.1.mga6
libkjsembed4-4.14.35-1.1.mga6
libkjs4-4.14.35-1.1.mga6
libkmediaplayer4-4.14.35-1.1.mga6
libknewstuff2_4-4.14.35-1.1.mga6
libknotifyconfig4-4.14.35-1.1.mga6
libkntlm4-4.14.35-1.1.mga6
libkdeclarative5-4.14.35-1.1.mga6
libkparts4-4.14.35-1.1.mga6
libkrosscore4-4.14.35-1.1.mga6
libkrossui4-4.14.35-1.1.mga6
libktexteditor4-4.14.35-1.1.mga6
libkunittest4-4.14.35-1.1.mga6
libkutils4-4.14.35-1.1.mga6
libsolid4-4.14.35-1.1.mga6
libthreadweaver4-4.14.35-1.1.mga6
libkpty4-4.14.35-1.1.mga6
libkjsapi4-4.14.35-1.1.mga6
libplasma3-4.14.35-1.1.mga6
libkunitconversion4-4.14.35-1.1.mga6
libkdewebkit5-4.14.35-1.1.mga6
libknewstuff3_4-4.14.35-1.1.mga6
libkcmutils4-4.14.35-1.1.mga6
libkprintutils4-4.14.35-1.1.mga6
libkidletime4-4.14.35-1.1.mga6
libkemoticons4-4.14.35-1.1.mga6
kdelibs4-core-4.14.35-1.1.mga6
kdelibs4-handbooks-4.14.35-1.1.mga6
kdelibs4-devel-4.14.35-1.1.mga6
libkde3support4-4.14.38-7.1.mga7
libkdecore5-4.14.38-7.1.mga7
libkdefakes5-4.14.38-7.1.mga7
libkdesu5-4.14.38-7.1.mga7
libkdeui5-4.14.38-7.1.mga7
libkdnssd4-4.14.38-7.1.mga7
libkfile4-4.14.38-7.1.mga7
libkhtml5-4.14.38-7.1.mga7
libkimproxy4-4.14.38-7.1.mga7
libkio5-4.14.38-7.1.mga7
libkjsembed4-4.14.38-7.1.mga7
libkjs4-4.14.38-7.1.mga7
libkmediaplayer4-4.14.38-7.1.mga7
libknewstuff2_4-4.14.38-7.1.mga7
libknotifyconfig4-4.14.38-7.1.mga7
libkntlm4-4.14.38-7.1.mga7
libkdeclarative5-4.14.38-7.1.mga7
libkparts4-4.14.38-7.1.mga7
libkrosscore4-4.14.38-7.1.mga7
libkrossui4-4.14.38-7.1.mga7
libktexteditor4-4.14.38-7.1.mga7
libkunittest4-4.14.38-7.1.mga7
libkutils4-4.14.38-7.1.mga7
libsolid4-4.14.38-7.1.mga7
libthreadweaver4-4.14.38-7.1.mga7
libkpty4-4.14.38-7.1.mga7
libkjsapi4-4.14.38-7.1.mga7
libplasma3-4.14.38-7.1.mga7
libkunitconversion4-4.14.38-7.1.mga7
libkdewebkit5-4.14.38-7.1.mga7
libknewstuff3_4-4.14.38-7.1.mga7
libkcmutils4-4.14.38-7.1.mga7
libkprintutils4-4.14.38-7.1.mga7
libkidletime4-4.14.38-7.1.mga7
libkemoticons4-4.14.38-7.1.mga7
kdelibs4-core-4.14.38-7.1.mga7
kdelibs4-handbooks-4.14.38-7.1.mga7
kdelibs4-devel-4.14.38-7.1.mga7

from SRPMS:
kdelibs4-4.14.35-1.1.mga6.src.rpm
kdelibs4-4.14.38-7.1.mga7.src.rpm
Comment 3 Morgan Leijström 2019-09-04 19:33:38 CEST 
mga6 64 bit updated, rebooted, everything I use still seem to work...  Nvidia-current, i7-3770.

CC: (none) => fri

Comment 4 David Walser 2019-11-26 18:32:24 CET 
Was this ever fixed in Cauldron?
Comment 5 David GEIGER 2019-11-26 19:42:48 CET 
(In reply to David Walser from comment #4)
> Was this ever fixed in Cauldron?

It fails to build and I do not know how to fix it.
Comment 6 Thomas Backlund 2019-11-26 20:46:01 CET 
Seemed to build ok on x86_64 here..

Maybe a temporary issue .... so I re-submitted it now

CC: (none) => tmb
Whiteboard: MGA7TOO, MGA6TOO => MGA7TOO

David Walser 2019-11-26 21:49:10 CET

Version: Cauldron => 7
CC: (none) => kde
Whiteboard: MGA7TOO => (none)
Assignee: kde => qa-bugs

Comment 7 Herman Viaene 2019-11-28 10:46:51 CET 
MGA7-64 Plasma on Lenovo B50
Installed all 4.14.38-7.1 stuff, rebooted, and all looks well, desktop behaves OK, as does netwerk and some odp, odt and ods files.

CC: (none) => herman.viaene

Comment 8 Thomas Andrews 2019-11-29 14:26:50 CET 
Color me confused. None of these libraries is currently installed on my perfectly-running 64-bit Plasma system, so apparently I don't need any of them to do the things I do. 

Going by Herman's test, installing them wouldn't hurt anything, and I know that sometimes that's all QA can do, but somehow it seems like we should do more in this case. 

Is a clean install enough? What else would I do?

CC: (none) => andrewsfarm

Comment 9 Ulrich Beckmann 2019-12-10 19:24:33 CET 
(In reply to Thomas Andrews from comment #8)
> Color me confused. None of these libraries is currently installed on my
> perfectly-running 64-bit Plasma system, so apparently I don't need any of
> them to do the things I do. 
> 
> Going by Herman's test, installing them wouldn't hurt anything, and I know
> that sometimes that's all QA can do, but somehow it seems like we should do
> more in this case. 
> 
> Is a clean install enough? What else would I do?

This is KDE 4 stuff. So there is nothing to bother about.

CC: (none) => bequimao.de

Comment 10 Thomas Andrews 2019-12-12 23:01:59 CET 
OKing and validating on the basis of a clean install. Advisory in Comment2.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK
CC: (none) => sysadmin-bugs

Comment 11 Rémi Verschelde 2019-12-13 16:51:41 CET 
Advisory uploaded.

Keywords: (none) => advisory

Comment 12 Mageia Robot 2019-12-13 19:27:08 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0378.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED