5.1 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.1 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
69.7%
This update fixes CVE-2019-14744 (kconfig arbitrary shell code execution) in the compatibility library kdelibs
4 used by legacy applications (not yet ported to KDE Frameworks 5). The included kde-settings
update removes obsolete settings that conflict with the security fix and are no longer needed (see below for details).
The full list of fixes in the kdelibs
4 build :
fixes CVE-2019-14744 (#1740138, #1740140) –
kconfig
: malicious .desktop
files (and others) would execute code. KConfig had a well-meaning feature that allowed configuration files to execute arbitrary shell commands. Unfortunately, this could be abused by untrusted .desktop
files to execute arbitrary code as the target user, without the user even running the .desktop
file. Therefore, this update removes that ill-fated feature. (Patch from upstream: kf5-kconfig
fix by David Faure, kdelibs
4 backport by Kai Uwe Broulik.)
fixes #917848 – removes support for the gamin
file watching service which is unmaintained and buggy and can lead to application lockups. KDirWatch now relies exclusively on inotify
(directly). (Packaging fix by Rex Dieter.)
fixes #1730770 – removes an unused dependency on the obsolete xf86misc
library. (Packaging fix by Kevin Kofler.)
The fixes in the kde-settings
build remove settings that were calling xdg-user-dir
, because the above CVE-2019-14744 fix drops support for running shell commands from configuration files from KConfig and because the settings are all no longer needed (because they either only reproduce default behavior or were commented out) :
`/usr/share/kde-settings/kde-profile/default/share/confi g/kdeglobals`, `/usr/share/kde-settings/kde-profile/minimal/share/confi g/kdeglobals`: Remove the `[Paths]` section. The `Desktop` and `Documents` directories that were set there are already detected by default by `kdelibs` 4 (it has native support for xdg-user-dirs and does not need the external `xdg-user-dir` command invocation), and now also by `kdelibs3 >= 3.5.10-101` (which has native xdg-user-dirs support backported). The `Trash` setting was already commented out.
`/usr/share/kde-settings/kde-profile/default/xdg/baloofi lerc`: Delete the commented-out `folders` setting that attempts to call `xdg-user-dir`.
Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Fedora Security Advisory FEDORA-2019-39d23c7a94.
#
include('compat.inc');
if (description)
{
script_id(128399);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/30");
script_cve_id("CVE-2019-14744");
script_xref(name:"FEDORA", value:"2019-39d23c7a94");
script_name(english:"Fedora 29 : 6:kdelibs / kde-settings (2019-39d23c7a94)");
script_set_attribute(attribute:"synopsis", value:
"The remote Fedora host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"This update fixes **CVE-2019-14744 (kconfig arbitrary shell code
execution)** in the compatibility library `kdelibs` 4 used by legacy
applications (not yet ported to KDE Frameworks 5). The included
`kde-settings` update removes obsolete settings that conflict with the
security fix and are no longer needed (see below for details).
The full list of fixes in the `kdelibs` 4 build :
- fixes **CVE-2019-14744 (#1740138, #1740140)** –
`kconfig`: malicious `.desktop` files (and others) would
execute code. KConfig had a well-meaning feature that
allowed configuration files to execute arbitrary shell
commands. Unfortunately, this could be abused by
untrusted `.desktop` files to execute arbitrary code as
the target user, without the user even running the
`.desktop` file. Therefore, this update removes that
ill-fated feature. (Patch from upstream: `kf5-kconfig`
fix by David Faure, `kdelibs` 4 backport by Kai Uwe
Broulik.)
- fixes **#917848** – removes support for the
`gamin` file watching service which is unmaintained and
buggy and can lead to application lockups. KDirWatch now
relies exclusively on `inotify` (directly). (Packaging
fix by Rex Dieter.)
- fixes **#1730770** – removes an unused dependency
on the obsolete `xf86misc` library. (Packaging fix by
Kevin Kofler.)
The fixes in the `kde-settings` build remove settings that were
calling `xdg-user-dir`, because the above CVE-2019-14744 fix drops
support for running shell commands from configuration files from
KConfig and because the settings are all no longer needed (because
they either only reproduce default behavior or were commented out) :
-
`/usr/share/kde-settings/kde-profile/default/share/confi
g/kdeglobals`,
`/usr/share/kde-settings/kde-profile/minimal/share/confi
g/kdeglobals`: Remove the `[Paths]` section. The
`Desktop` and `Documents` directories that were set
there are already detected by default by `kdelibs` 4 (it
has native support for xdg-user-dirs and does not need
the external `xdg-user-dir` command invocation), and now
also by `kdelibs3 >= 3.5.10-101` (which has native
xdg-user-dirs support backported). The `Trash` setting
was already commented out.
-
`/usr/share/kde-settings/kde-profile/default/xdg/baloofi
lerc`: Delete the commented-out `folders` setting that
attempts to call `xdg-user-dir`.
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues.");
script_set_attribute(attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-39d23c7a94");
script_set_attribute(attribute:"solution", value:
"Update the affected 6:kdelibs and / or kde-settings packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-14744");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/08/07");
script_set_attribute(attribute:"patch_publication_date", value:"2019/08/30");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/30");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:6:kdelibs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kde-settings");
script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:29");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Fedora Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! preg(pattern:"^29([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 29", "Fedora " + os_ver);
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
flag = 0;
if (rpm_check(release:"FC29", reference:"kdelibs-4.14.38-15.fc29", epoch:"6")) flag++;
if (rpm_check(release:"FC29", reference:"kde-settings-29.1-1.fc29")) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "6:kdelibs / kde-settings");
}
Vendor | Product | Version | CPE |
---|---|---|---|
fedoraproject | fedora | 6 | p-cpe:/a:fedoraproject:fedora:6:kdelibs |
fedoraproject | fedora | kde-settings | p-cpe:/a:fedoraproject:fedora:kde-settings |
fedoraproject | fedora | 29 | cpe:/o:fedoraproject:fedora:29 |
5.1 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.1 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
69.7%