Bug 25403 - kdelibs4 new security issue CVE-2019-14744
Summary: kdelibs4 new security issue CVE-2019-14744
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: KDE maintainers
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO, MGA6TOO
Keywords:
Depends on:
Blocks:
 
Reported: 2019-09-03 21:50 CEST by David Walser
Modified: 2019-09-04 19:33 CEST (History)
2 users (show)

See Also:
Source RPM: kdelibs4-4.14.38-7.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-09-03 21:50:04 CEST
+++ This bug was initially created as a clone of Bug #25250 +++

KDE has issued an advisory on August 7:
https://kde.org/info/security/advisory-20190807-1.txt

More details on the issue (with PoC):
https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt

The issue was fixed upstream in 5.61.0.

Mageia 6 and Mageia 7 are also affected.

kdelibs4 is also affected.

RedHat has issued an advisory for this today (September 3):
https://access.redhat.com/errata/RHSA-2019:2606
David Walser 2019-09-03 21:50:13 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 David GEIGER 2019-09-04 09:06:00 CEST
Done for mga6 and mga7 but it fails to build on Cauldron with:

[ 30%] Generating index.cache.bz2
cd /home/iurt/rpmbuild/BUILD/kdelibs-4.14.38/doc/kioslave/data && /home/iurt/rpmbuild/BUILD/kdelibs-4.14.38/build/bin/meinproc4.shell --check --srcdir=/home/iurt/rpmbuild/BUILD/kdelibs-4.14.38/build/kdoctools/ --cache /home/iurt/rpmbuild/BUILD/kdelibs-4.14.38/build/doc/kioslave/data/index.cache.bz2 /home/iurt/rpmbuild/BUILD/kdelibs-4.14.38/doc/kioslave/data/index.docbook
meinproc4: Unexpected argument '/home/iurt/rpmbuild/BUILD/kdelibs-4.14.38/doc/kioslave/data/index.docbook'.
meinproc4: Use --help to get a list of available command line options.
make[2]: *** [doc/kioslave/data/CMakeFiles/doc-kioslave-data-handbook.dir/build.make:66: doc/kioslave/data/index.cache.bz2] Error 254
make[2]: Leaving directory '/home/iurt/rpmbuild/BUILD/kdelibs-4.14.38/build'
make[1]: *** [CMakeFiles/Makefile2:29675: doc/kioslave/data/CMakeFiles/doc-kioslave-data-handbook.dir/all] Error 2
make[1]: *** Waiting for unfinished jobs....
Comment 2 David Walser 2019-09-04 15:56:02 CEST
Advisory:
========================

Updated kdelibs4 packages fix security vulnerability:

kdelibs: malicious desktop files and configuration files lead to code execution
with minimal user interaction (CVE-2019-14744).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14744
https://kde.org/info/security/advisory-20190807-1.txt
https://access.redhat.com/errata/RHSA-2019:2606
========================

Updated packages in core/updates_testing:
========================
libkde3support4-4.14.35-1.1.mga6
libkdecore5-4.14.35-1.1.mga6
libkdefakes5-4.14.35-1.1.mga6
libkdesu5-4.14.35-1.1.mga6
libkdeui5-4.14.35-1.1.mga6
libkdnssd4-4.14.35-1.1.mga6
libkfile4-4.14.35-1.1.mga6
libkhtml5-4.14.35-1.1.mga6
libkimproxy4-4.14.35-1.1.mga6
libkio5-4.14.35-1.1.mga6
libkjsembed4-4.14.35-1.1.mga6
libkjs4-4.14.35-1.1.mga6
libkmediaplayer4-4.14.35-1.1.mga6
libknewstuff2_4-4.14.35-1.1.mga6
libknotifyconfig4-4.14.35-1.1.mga6
libkntlm4-4.14.35-1.1.mga6
libkdeclarative5-4.14.35-1.1.mga6
libkparts4-4.14.35-1.1.mga6
libkrosscore4-4.14.35-1.1.mga6
libkrossui4-4.14.35-1.1.mga6
libktexteditor4-4.14.35-1.1.mga6
libkunittest4-4.14.35-1.1.mga6
libkutils4-4.14.35-1.1.mga6
libsolid4-4.14.35-1.1.mga6
libthreadweaver4-4.14.35-1.1.mga6
libkpty4-4.14.35-1.1.mga6
libkjsapi4-4.14.35-1.1.mga6
libplasma3-4.14.35-1.1.mga6
libkunitconversion4-4.14.35-1.1.mga6
libkdewebkit5-4.14.35-1.1.mga6
libknewstuff3_4-4.14.35-1.1.mga6
libkcmutils4-4.14.35-1.1.mga6
libkprintutils4-4.14.35-1.1.mga6
libkidletime4-4.14.35-1.1.mga6
libkemoticons4-4.14.35-1.1.mga6
kdelibs4-core-4.14.35-1.1.mga6
kdelibs4-handbooks-4.14.35-1.1.mga6
kdelibs4-devel-4.14.35-1.1.mga6
libkde3support4-4.14.38-7.1.mga7
libkdecore5-4.14.38-7.1.mga7
libkdefakes5-4.14.38-7.1.mga7
libkdesu5-4.14.38-7.1.mga7
libkdeui5-4.14.38-7.1.mga7
libkdnssd4-4.14.38-7.1.mga7
libkfile4-4.14.38-7.1.mga7
libkhtml5-4.14.38-7.1.mga7
libkimproxy4-4.14.38-7.1.mga7
libkio5-4.14.38-7.1.mga7
libkjsembed4-4.14.38-7.1.mga7
libkjs4-4.14.38-7.1.mga7
libkmediaplayer4-4.14.38-7.1.mga7
libknewstuff2_4-4.14.38-7.1.mga7
libknotifyconfig4-4.14.38-7.1.mga7
libkntlm4-4.14.38-7.1.mga7
libkdeclarative5-4.14.38-7.1.mga7
libkparts4-4.14.38-7.1.mga7
libkrosscore4-4.14.38-7.1.mga7
libkrossui4-4.14.38-7.1.mga7
libktexteditor4-4.14.38-7.1.mga7
libkunittest4-4.14.38-7.1.mga7
libkutils4-4.14.38-7.1.mga7
libsolid4-4.14.38-7.1.mga7
libthreadweaver4-4.14.38-7.1.mga7
libkpty4-4.14.38-7.1.mga7
libkjsapi4-4.14.38-7.1.mga7
libplasma3-4.14.38-7.1.mga7
libkunitconversion4-4.14.38-7.1.mga7
libkdewebkit5-4.14.38-7.1.mga7
libknewstuff3_4-4.14.38-7.1.mga7
libkcmutils4-4.14.38-7.1.mga7
libkprintutils4-4.14.38-7.1.mga7
libkidletime4-4.14.38-7.1.mga7
libkemoticons4-4.14.38-7.1.mga7
kdelibs4-core-4.14.38-7.1.mga7
kdelibs4-handbooks-4.14.38-7.1.mga7
kdelibs4-devel-4.14.38-7.1.mga7

from SRPMS:
kdelibs4-4.14.35-1.1.mga6.src.rpm
kdelibs4-4.14.38-7.1.mga7.src.rpm
Comment 3 Morgan Leijström 2019-09-04 19:33:38 CEST
mga6 64 bit updated, rebooted, everything I use still seem to work...  Nvidia-current, i7-3770.

CC: (none) => fri


Note You need to log in before you can comment on or make changes to this bug.