Описание
In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| kconfig | fixed | 5.54.0-2 | package | |
| kde4libs | fixed | 4:4.14.38-4 | package | |
| kde4libs | ignored | buster | package | |
| kde4libs | no-dsa | stretch | package |
Примечания
https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt
https://kde.org/info/security/advisory-20190807-1.txt
kconfig: https://github.com/KDE/kconfig/commit/5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22
kdelibs: https://github.com/KDE/kdelibs/commit/2c3762feddf7e66cf6b64d9058f625a715694a00
stretch desktop users affected through dolphin (kconfig), and also through dolphin4 and konqueror (kde4libs)
Связанные уязвимости
In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.
In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.
In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.
