Description Sam James 2022-01-31 20:14:40 UTC

https://kde.org/info/security/advisory-20220131-1.txt:

```
KTextEditor and Kate execute binaries without user interaction in a few cases.

Some examples are:

- KTextEditor will try to check on external file modification via invoking the "git" binary if the file is known in the repository with the new content.
- Kate will execute the LSP (language server protocol) server associated with the mime type of the files you open if the LSP plugin is active
- Kate will execute "git", "svn" and other version control tools on document open to retrieve project information if the project plugin is active

KTextEditor & Kate use QProcess for this process invocation.

The typical pattern is like:

QProcess p;
p.setWorkingDirectory(xxx); // in some cases
p.start("binaryname", args);

As the binary name is in most cases passed as a non-absolute executable name, QProcess will execute a "binaryname" named executable
from the working directory (implicit that of the application or explicit that one set by setWorkingDirectory), if no matching executable is found
in the normal search path (PATH).

This allows attackers to put malicious executables with the right name for example in the document directory.
If the wanted executable is not in the search path, the malicious one will be executed.

Impact
======

Opening files might lead to the execution of malicious binaries if they are placed in the right directories.
```