[SECURITY] [DLA 1890-1] kde4libs security update

ID DEBIAN:DLA-1890-1:828EC
Type debian
Reporter Debian
Modified 2019-08-18T22:38:45


Package : kde4libs Version : 4:4.14.2-5+deb8u3 CVE ID : CVE-2019-14744 Debian Bug : 934268

Dominik Penner discovered a flaw in how KConfig interpreted shell commands in desktop files and other configuration files. An attacker may trick users into installing specially crafted files which could then be used to execute arbitrary code, e.g. a file manager trying to find out the icon for a file or any application using KConfig. Thus the entire feature of supporting shell commands in KConfig entries has been removed.

For Debian 8 "Jessie", this problem has been fixed in version 4:4.14.2-5+deb8u3.

We recommend that you upgrade your kde4libs packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS