Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 691858 (CVE-2019-14744) - <kde-frameworks/kconfig-5.60.0-r1: malicious .desktop files (and others) would execute code
Summary: <kde-frameworks/kconfig-5.60.0-r1: malicious .desktop files (and others) woul...
Status: RESOLVED FIXED
Alias: CVE-2019-14744
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://kde.org/info/security/advisor...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-08-09 17:48 UTC by Andreas Sturmlechner
Modified: 2019-08-15 15:42 UTC (History)
0 users

See Also:
Package list:
kde-frameworks/kconfig-5.60.0-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Sturmlechner gentoo-dev 2019-08-09 17:48:11 UTC
Overview
========
The syntax Key[$e]=$(shell command) in *.desktop files, .directory files, and configuration files (typically found in ~/.config) was an intentional feature of KConfig, to allow flexible configuration. This could however be abused by malicious people to make the users install such files and get code executed even without intentional action by the user. A file manager trying to find out the icon for a file or directory could end up executing code, or any application using KConfig could end up executing malicious code during its startup phase for instance.

See also:
https://nvd.nist.gov/vuln/detail/CVE-2019-14744

Upstream fix (backported to 5.60.0-r1):
The entire feature of supporting shell commands in KConfig entries has been removed.
https://cgit.kde.org/kconfig.git/commit/?id=5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22
Comment 1 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-09 22:24:07 UTC
arm64 stable.
Comment 2 Thomas Deutschmann gentoo-dev Security 2019-08-11 21:31:08 UTC
x86 stable
Comment 3 Agostino Sarubbo gentoo-dev 2019-08-12 09:12:09 UTC
amd64 stable.

Maintainer(s), please cleanup.
Comment 4 Larry the Git Cow gentoo-dev 2019-08-12 11:08:03 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3368d5e2fdca00d0dbfca1a10c7faa76d8221728

commit 3368d5e2fdca00d0dbfca1a10c7faa76d8221728
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2019-08-12 11:07:41 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2019-08-12 11:07:48 +0000

    kde-frameworks/kconfig: Security cleanup 5.60.0 (r0)
    
    Bug: https://bugs.gentoo.org/691858
    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 kde-frameworks/kconfig/kconfig-5.60.0.ebuild | 36 ----------------------------
 1 file changed, 36 deletions(-)
Comment 5 Andreas Sturmlechner gentoo-dev 2019-08-14 12:45:53 UTC
KDE proj is done here.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2019-08-15 15:42:39 UTC
This issue was resolved and addressed in
 GLSA 201908-07 at https://security.gentoo.org/glsa/201908-07
by GLSA coordinator Aaron Bauman (b-man).