The syntax Key[$e]=$(shell command) in *.desktop files, .directory files, and configuration files (typically found in ~/.config) was an intentional feature of KConfig, to allow flexible configuration. This could however be abused by malicious people to make the users install such files and get code executed even without intentional action by the user. A file manager trying to find out the icon for a file or directory could end up executing code, or any application using KConfig could end up executing malicious code during its startup phase for instance.
Upstream fix (backported to 5.60.0-r1):
The entire feature of supporting shell commands in KConfig entries has been removed.
Maintainer(s), please cleanup.
The bug has been referenced in the following commit(s):
Author: Andreas Sturmlechner <email@example.com>
AuthorDate: 2019-08-12 11:07:41 +0000
Commit: Andreas Sturmlechner <firstname.lastname@example.org>
CommitDate: 2019-08-12 11:07:48 +0000
kde-frameworks/kconfig: Security cleanup 5.60.0 (r0)
Package-Manager: Portage-2.3.69, Repoman-2.3.16
Signed-off-by: Andreas Sturmlechner <email@example.com>
kde-frameworks/kconfig/kconfig-5.60.0.ebuild | 36 ----------------------------
1 file changed, 36 deletions(-)
KDE proj is done here.
This issue was resolved and addressed in
GLSA 201908-07 at https://security.gentoo.org/glsa/201908-07
by GLSA coordinator Aaron Bauman (b-man).