5.1
CVSSv2

CVE-2019-14744

Published: 07/08/2019 Updated: 15/08/2019
CVSS v2 Base Score: 5.1 | Impact Score: 6.4 | Exploitability Score: 4.9
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P

Vulnerability Summary

In KDE Frameworks KConfig prior to 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.

Vulnerability Trend

Affected Products

Vendor Product Versions
DebianDebian Linux9.0, 10.0

Vendor Advisories

Debian Bug report logs - #934267 kconfig: CVE-2019-14744 Package: src:kconfig; Maintainer for src:kconfig is Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@listsdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 8 Aug 2019 21:33:02 UTC Severity: grave Tags: patch, security, upstream Fo ...
Dominik Penner discovered that KConfig, the KDE configuration settings framework, supported a feature to define shell command execution in desktop files If a user is provided with a malformed desktop file (eg if it's embedded into a downloaded archive and it gets opened in a file browser) arbitrary commands could get executed This update remo ...
KConfig and KDE libraries could be made to crash or run programs if it opened a specially crafted file ...
Impact: Important Public Date: 2019-08-12 CWE: CWE-454 Bugzilla: 1740138: CVE-2019-14744 kdelibs: malic ...

Mailing Lists

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] kdelibs (SSA:2019-220-01) New kdelibs packages are available for Slackware 142 and -current to fix a security issue Here are the details from the Slackware 142 ChangeLog: +--------------------------+ patches/packages/kdelibs-41438-i586-1_slack142txz: Upgraded kconfig ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4494-1 security () debian org wwwdebianorg/security/ Moritz Muehlenhoff August 09, 2019 wwwdebianorg/security/faq ...

References

CWE-77http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00013.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-08/msg00016.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-08/msg00034.htmlhttp://packetstormsecurity.com/files/153981/Slackware-Security-Advisory-kdelibs-Updates.htmlhttps://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txthttps://lists.debian.org/debian-lts-announce/2019/08/msg00023.htmlhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IRIKH7ZWXELIQT6WSLV7EG3VTFWKZPD/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNHO6FZRYBQ2R3UCFDGS66F6DNNTKCMM/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UYKLUSSEK3YJOVQDL6K2LKGS3354UH6L/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTFBQRJAU7ITD3TOMPZAUQMYYCAZ6DTX/https://seclists.org/bugtraq/2019/Aug/12https://seclists.org/bugtraq/2019/Aug/9https://security.gentoo.org/glsa/201908-07https://usn.ubuntu.com/4100-1/https://www.debian.org/security/2019/dsa-4494https://www.zdnet.com/article/unpatched-kde-vulnerability-disclosed-on-twitter/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934267http://tools.cisco.com/security/center/viewAlert.x?alertId=60580https://nvd.nist.govhttps://usn.ubuntu.com/4100-1/