PRIOn knowledge basePRION:CVE-2019-14744Code injection
In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.
| CPE | Name | Operator | Version |
|---|---|---|---|
| ubuntu_linux | eq | 18.04 | |
| ubuntu_linux | eq | 19.04 | |
| ubuntu_linux | eq | 16.04 | |
| debian_linux | eq | 9.0 | |
| debian_linux | eq | 10.0 | |
| fedora | eq | 29 | |
| fedora | eq | 30 | |
| kconfig | lt | 5.61.0 | |
| backports_sle | eq | 15.0 sp1 | |
| enterprise_linux_desktop | eq | 7.0 |
References
lists.opensuse.org/opensuse-security-announce/2019-08/msg00013.html
lists.opensuse.org/opensuse-security-announce/2019-08/msg00016.html
lists.opensuse.org/opensuse-security-announce/2019-08/msg00034.html
packetstormsecurity.com/files/153981/Slackware-Security-Advisory-kdelibs-Updates.html
access.redhat.com/errata/RHSA-2019:2606
gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt
lists.debian.org/debian-lts-announce/2019/08/msg00023.html
lists.fedoraproject.org/archives/list/[email protected]/message/5IRIKH7ZWXELIQT6WSLV7EG3VTFWKZPD/
lists.fedoraproject.org/archives/list/[email protected]/message/FNHO6FZRYBQ2R3UCFDGS66F6DNNTKCMM/
lists.fedoraproject.org/archives/list/[email protected]/message/UYKLUSSEK3YJOVQDL6K2LKGS3354UH6L/
lists.fedoraproject.org/archives/list/[email protected]/message/WTFBQRJAU7ITD3TOMPZAUQMYYCAZ6DTX/
lists.fedoraproject.org/archives/list/[email protected]/message/YIDXQ6CUB5E7Y3MJWCUY4VR42QAE6SCJ/
seclists.org/bugtraq/2019/Aug/12
seclists.org/bugtraq/2019/Aug/9
security.gentoo.org/glsa/201908-07
usn.ubuntu.com/4100-1/
www.debian.org/security/2019/dsa-4494
www.zdnet.com/article/unpatched-kde-vulnerability-disclosed-on-twitter/
Related
