Overview ======== The syntax Key[$e]=$(shell command) in *.desktop files, .directory files, and configuration files (typically found in ~/.config) was an intentional feature of KConfig, to allow flexible configuration. This could however be abused by malicious people to make the users install such files and get code executed even without intentional action by the user. A file manager trying to find out the icon for a file or directory could end up executing code, or any application using KConfig could end up executing malicious code during its startup phase for instance. See also: https://nvd.nist.gov/vuln/detail/CVE-2019-14744 Upstream fix (backported to 5.60.0-r1): The entire feature of supporting shell commands in KConfig entries has been removed. https://cgit.kde.org/kconfig.git/commit/?id=5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22
arm64 stable.
x86 stable
amd64 stable. Maintainer(s), please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3368d5e2fdca00d0dbfca1a10c7faa76d8221728 commit 3368d5e2fdca00d0dbfca1a10c7faa76d8221728 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2019-08-12 11:07:41 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2019-08-12 11:07:48 +0000 kde-frameworks/kconfig: Security cleanup 5.60.0 (r0) Bug: https://bugs.gentoo.org/691858 Package-Manager: Portage-2.3.69, Repoman-2.3.16 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> kde-frameworks/kconfig/kconfig-5.60.0.ebuild | 36 ---------------------------- 1 file changed, 36 deletions(-)
KDE proj is done here.
This issue was resolved and addressed in GLSA 201908-07 at https://security.gentoo.org/glsa/201908-07 by GLSA coordinator Aaron Bauman (b-man).
