KDE has issued an advisory on August 7: https://kde.org/info/security/advisory-20190807-1.txt More details on the issue (with PoC): https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt The issue was fixed upstream in 5.61.0. Mageia 6 is also affected.
Whiteboard: (none) => MGA7TOO, MGA6TOO
Debian has issued an advisory for this on August 9: https://www.debian.org/security/2019/dsa-4494
Fixed for mga7 and Cauldron! unfortunately it does not apply for mga6!
CC: (none) => geiger.david68210
We have 5.42.0 in Mageia 6. Debian backported the fix all the way to 5.28.0, so you should be able to get something to apply. Mageia 7 package list: kconfig-5.57.0-1.1.mga7 libkconfigGui5-5.57.0-1.1.mga7 libkconfigCore5-5.57.0-1.1.mga7 libkconfig-devel-5.57.0-1.1.mga7
Version: Cauldron => 7Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO
Done also for mga6!
Advisory: ======================== Updated kconfig packages fix security vulnerability: Dominik Penner discovered that KConfig supported a feature to define shell command execution in .desktop files. If a user is provided with a malformed .desktop file (e.g. if it's embedded into a downloaded archive and it gets opened in a file browser) arbitrary commands could get executed (CVE-2019-14744). This update fixes the security issue by removing the shell command feature. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14744 https://www.debian.org/security/2019/dsa-4494 ======================== Updated packages in core/updates_testing: ======================== kconfig-5.42.0-1.1.mga6 libkconfigGui5-5.42.0-1.1.mga6 libkconfigCore5-5.42.0-1.1.mga6 libkconfig-devel-5.42.0-1.1.mga6 kconfig-5.57.0-1.1.mga7 libkconfigGui5-5.57.0-1.1.mga7 libkconfigCore5-5.57.0-1.1.mga7 libkconfig-devel-5.57.0-1.1.mga7 from SRPMS: kconfig-5.42.0-1.1.mga6.src.rpm kconfig-5.57.0-1.1.mga7.src.rpm
Assignee: kde => qa-bugs
Ubuntu has issued an advisory for this on August 16: https://usn.ubuntu.com/4100-1/
MGA6-64 Plasma on Lenovo B50 No installation issues. No previous updates on this, find no east test case or tutorial on the commands. Only thing I get: $ kreadconfig5 Usage: kreadconfig5 [options] Options: --file <file> Use <file> instead of global config --group <group> Group to look in. Use repeatedly for nested groups. --key <key> Key to look for --default <value> Default value --type <type> Type of variable There is no -h or --help or -v.
CC: (none) => herman.viaene
Advisory references should have been... References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14744 https://kde.org/info/security/advisory-20190807-1.txt https://www.debian.org/security/2019/dsa-4494
What is the best way to test this? Thanks
CC: (none) => wilcal.int
See the PoC link in Comment 0.
Tested OK mga6 64 Confirmed the PoC. Created ~/test/payload.desktop with.. [Desktop Entry] Icon[$e]=$(echo${IFS}0>~/Desktop/zero.lol&) ..in it. Used dolphin to browse to test directory and it created a zero.lol file onthe Desktop. Removed the zero.lol file, closed dolphin and installed the updates. Browsed back to ~/test and no zero.lol created.
Whiteboard: MGA6TOO => MGA6TOO mga6-64-ok
MGA7-64 Plasma on Lenovo B50 No installation issues. Followed Claire's lead above and confirm that the version 5.57.0-1 creates the zero.lol file, and with the test update 5.57.0-1.1 it doesn't anymore. Side note: in both cases deleting (not putting into Trash) the zero.lol file either from the actual desktop or from the ~/Desktop folder causes dolphinto hang.
Whiteboard: MGA6TOO mga6-64-ok => MGA6TOO MGA6-64-OK MGA7-64-OK
Keywords: (none) => advisory, validated_updateCC: (none) => tmb, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0278.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED