+++ This bug was initially created as a clone of Bug #25250 +++ KDE has issued an advisory on August 7: https://kde.org/info/security/advisory-20190807-1.txt More details on the issue (with PoC): https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt The issue was fixed upstream in 5.61.0. Mageia 6 and Mageia 7 are also affected. kdelibs4 is also affected. RedHat has issued an advisory for this today (September 3): https://access.redhat.com/errata/RHSA-2019:2606
Whiteboard: (none) => MGA7TOO, MGA6TOO
Done for mga6 and mga7 but it fails to build on Cauldron with: [ 30%] Generating index.cache.bz2 cd /home/iurt/rpmbuild/BUILD/kdelibs-4.14.38/doc/kioslave/data && /home/iurt/rpmbuild/BUILD/kdelibs-4.14.38/build/bin/meinproc4.shell --check --srcdir=/home/iurt/rpmbuild/BUILD/kdelibs-4.14.38/build/kdoctools/ --cache /home/iurt/rpmbuild/BUILD/kdelibs-4.14.38/build/doc/kioslave/data/index.cache.bz2 /home/iurt/rpmbuild/BUILD/kdelibs-4.14.38/doc/kioslave/data/index.docbook meinproc4: Unexpected argument '/home/iurt/rpmbuild/BUILD/kdelibs-4.14.38/doc/kioslave/data/index.docbook'. meinproc4: Use --help to get a list of available command line options. make[2]: *** [doc/kioslave/data/CMakeFiles/doc-kioslave-data-handbook.dir/build.make:66: doc/kioslave/data/index.cache.bz2] Error 254 make[2]: Leaving directory '/home/iurt/rpmbuild/BUILD/kdelibs-4.14.38/build' make[1]: *** [CMakeFiles/Makefile2:29675: doc/kioslave/data/CMakeFiles/doc-kioslave-data-handbook.dir/all] Error 2 make[1]: *** Waiting for unfinished jobs....
Advisory: ======================== Updated kdelibs4 packages fix security vulnerability: kdelibs: malicious desktop files and configuration files lead to code execution with minimal user interaction (CVE-2019-14744). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14744 https://kde.org/info/security/advisory-20190807-1.txt https://access.redhat.com/errata/RHSA-2019:2606 ======================== Updated packages in core/updates_testing: ======================== libkde3support4-4.14.35-1.1.mga6 libkdecore5-4.14.35-1.1.mga6 libkdefakes5-4.14.35-1.1.mga6 libkdesu5-4.14.35-1.1.mga6 libkdeui5-4.14.35-1.1.mga6 libkdnssd4-4.14.35-1.1.mga6 libkfile4-4.14.35-1.1.mga6 libkhtml5-4.14.35-1.1.mga6 libkimproxy4-4.14.35-1.1.mga6 libkio5-4.14.35-1.1.mga6 libkjsembed4-4.14.35-1.1.mga6 libkjs4-4.14.35-1.1.mga6 libkmediaplayer4-4.14.35-1.1.mga6 libknewstuff2_4-4.14.35-1.1.mga6 libknotifyconfig4-4.14.35-1.1.mga6 libkntlm4-4.14.35-1.1.mga6 libkdeclarative5-4.14.35-1.1.mga6 libkparts4-4.14.35-1.1.mga6 libkrosscore4-4.14.35-1.1.mga6 libkrossui4-4.14.35-1.1.mga6 libktexteditor4-4.14.35-1.1.mga6 libkunittest4-4.14.35-1.1.mga6 libkutils4-4.14.35-1.1.mga6 libsolid4-4.14.35-1.1.mga6 libthreadweaver4-4.14.35-1.1.mga6 libkpty4-4.14.35-1.1.mga6 libkjsapi4-4.14.35-1.1.mga6 libplasma3-4.14.35-1.1.mga6 libkunitconversion4-4.14.35-1.1.mga6 libkdewebkit5-4.14.35-1.1.mga6 libknewstuff3_4-4.14.35-1.1.mga6 libkcmutils4-4.14.35-1.1.mga6 libkprintutils4-4.14.35-1.1.mga6 libkidletime4-4.14.35-1.1.mga6 libkemoticons4-4.14.35-1.1.mga6 kdelibs4-core-4.14.35-1.1.mga6 kdelibs4-handbooks-4.14.35-1.1.mga6 kdelibs4-devel-4.14.35-1.1.mga6 libkde3support4-4.14.38-7.1.mga7 libkdecore5-4.14.38-7.1.mga7 libkdefakes5-4.14.38-7.1.mga7 libkdesu5-4.14.38-7.1.mga7 libkdeui5-4.14.38-7.1.mga7 libkdnssd4-4.14.38-7.1.mga7 libkfile4-4.14.38-7.1.mga7 libkhtml5-4.14.38-7.1.mga7 libkimproxy4-4.14.38-7.1.mga7 libkio5-4.14.38-7.1.mga7 libkjsembed4-4.14.38-7.1.mga7 libkjs4-4.14.38-7.1.mga7 libkmediaplayer4-4.14.38-7.1.mga7 libknewstuff2_4-4.14.38-7.1.mga7 libknotifyconfig4-4.14.38-7.1.mga7 libkntlm4-4.14.38-7.1.mga7 libkdeclarative5-4.14.38-7.1.mga7 libkparts4-4.14.38-7.1.mga7 libkrosscore4-4.14.38-7.1.mga7 libkrossui4-4.14.38-7.1.mga7 libktexteditor4-4.14.38-7.1.mga7 libkunittest4-4.14.38-7.1.mga7 libkutils4-4.14.38-7.1.mga7 libsolid4-4.14.38-7.1.mga7 libthreadweaver4-4.14.38-7.1.mga7 libkpty4-4.14.38-7.1.mga7 libkjsapi4-4.14.38-7.1.mga7 libplasma3-4.14.38-7.1.mga7 libkunitconversion4-4.14.38-7.1.mga7 libkdewebkit5-4.14.38-7.1.mga7 libknewstuff3_4-4.14.38-7.1.mga7 libkcmutils4-4.14.38-7.1.mga7 libkprintutils4-4.14.38-7.1.mga7 libkidletime4-4.14.38-7.1.mga7 libkemoticons4-4.14.38-7.1.mga7 kdelibs4-core-4.14.38-7.1.mga7 kdelibs4-handbooks-4.14.38-7.1.mga7 kdelibs4-devel-4.14.38-7.1.mga7 from SRPMS: kdelibs4-4.14.35-1.1.mga6.src.rpm kdelibs4-4.14.38-7.1.mga7.src.rpm
mga6 64 bit updated, rebooted, everything I use still seem to work... Nvidia-current, i7-3770.
CC: (none) => fri
Was this ever fixed in Cauldron?
(In reply to David Walser from comment #4) > Was this ever fixed in Cauldron? It fails to build and I do not know how to fix it.
Seemed to build ok on x86_64 here.. Maybe a temporary issue .... so I re-submitted it now
CC: (none) => tmbWhiteboard: MGA7TOO, MGA6TOO => MGA7TOO
Version: Cauldron => 7CC: (none) => kdeWhiteboard: MGA7TOO => (none)Assignee: kde => qa-bugs
MGA7-64 Plasma on Lenovo B50 Installed all 4.14.38-7.1 stuff, rebooted, and all looks well, desktop behaves OK, as does netwerk and some odp, odt and ods files.
CC: (none) => herman.viaene
Color me confused. None of these libraries is currently installed on my perfectly-running 64-bit Plasma system, so apparently I don't need any of them to do the things I do. Going by Herman's test, installing them wouldn't hurt anything, and I know that sometimes that's all QA can do, but somehow it seems like we should do more in this case. Is a clean install enough? What else would I do?
CC: (none) => andrewsfarm
(In reply to Thomas Andrews from comment #8) > Color me confused. None of these libraries is currently installed on my > perfectly-running 64-bit Plasma system, so apparently I don't need any of > them to do the things I do. > > Going by Herman's test, installing them wouldn't hurt anything, and I know > that sometimes that's all QA can do, but somehow it seems like we should do > more in this case. > > Is a clean install enough? What else would I do? This is KDE 4 stuff. So there is nothing to bother about.
CC: (none) => bequimao.de
OKing and validating on the basis of a clean install. Advisory in Comment2.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA7-64-OKCC: (none) => sysadmin-bugs
Advisory uploaded.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0378.html
Status: NEW => RESOLVEDResolution: (none) => FIXED