CVE-2019-14744

NameCVE-2019-14744
DescriptionIn KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1890-1, DSA-4494-1
NVD severitymedium (attack range: remote)
Debian Bugs934267, 934268

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
kconfig (PTS)stretch5.28.0-2vulnerable
stretch (security)5.28.0-2+deb9u1fixed
buster5.54.0-1vulnerable
buster (security)5.54.0-1+deb10u1fixed
bullseye, sid5.54.0-2fixed
kde4libs (PTS)jessie4:4.14.2-5+deb8u2vulnerable
jessie (security)4:4.14.2-5+deb8u3fixed
stretch4:4.14.26-2vulnerable
buster4:4.14.38-3vulnerable
bullseye, sid4:4.14.38-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kconfigsource(unstable)5.54.0-2medium934267
kconfigsourcebuster5.54.0-1+deb10u1mediumDSA-4494-1
kconfigsourcestretch5.28.0-2+deb9u1mediumDSA-4494-1
kde4libssource(unstable)4:4.14.38-4medium934268
kde4libssourcejessie4:4.14.2-5+deb8u3mediumDLA-1890-1

Notes

[buster] - kde4libs <no-dsa> (Minor issue)
[stretch] - kde4libs <no-dsa> (Minor issue)
https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt
https://kde.org/info/security/advisory-20190807-1.txt
kconfig: https://cgit.kde.org/kconfig.git/commit/?id=5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22
kdelibs: https://cgit.kde.org/kdelibs.git/commit/?id=2c3762feddf7e66cf6b64d9058f625a715694a00

Search for package or bug name: Reporting problems