CVE-2019-14744: OS Command Injection
First published: Wed Aug 07 2019(Updated: )
In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Kde Kconfig | <5.61.0 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Fedoraproject Fedora | =29 | |
| Fedoraproject Fedora | =30 | |
| openSUSE Backports SLE | =15.0-sp1 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =19.04 | |
| Redhat Enterprise Linux Desktop | =7.0 | |
| Redhat Enterprise Linux Server | =7.0 | |
| Redhat Enterprise Linux Workstation | =7.0 | |
| debian/kconfig | 5.78.0-4 5.103.0-2 5.115.0-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00013.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00016.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00034.html
- http://packetstormsecurity.com/files/153981/Slackware-Security-Advisory-kdelibs-Updates.html
- https://access.redhat.com/errata/RHSA-2019:2606
- https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt
- https://lists.debian.org/debian-lts-announce/2019/08/msg00023.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IRIKH7ZWXELIQT6WSLV7EG3VTFWKZPD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNHO6FZRYBQ2R3UCFDGS66F6DNNTKCMM/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UYKLUSSEK3YJOVQDL6K2LKGS3354UH6L/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTFBQRJAU7ITD3TOMPZAUQMYYCAZ6DTX/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YIDXQ6CUB5E7Y3MJWCUY4VR42QAE6SCJ/
- https://seclists.org/bugtraq/2019/Aug/12
- https://seclists.org/bugtraq/2019/Aug/9
- https://security.gentoo.org/glsa/201908-07
- https://usn.ubuntu.com/4100-1/
- https://www.debian.org/security/2019/dsa-4494
- https://www.zdnet.com/article/unpatched-kde-vulnerability-disclosed-on-twitter/
- https://kde.org/info/security/advisory-20190807-1.txt
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1740140
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1740141
- https://bodhi.fedoraproject.org/updates/FEDORA-2019-f9f78895c3
- https://bodhi.fedoraproject.org/updates/FEDORA-2019-9f2ee52c88
- https://cgit.kde.org/kconfig.git/commit/?id=5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22
- https://cgit.kde.org/kdelibs.git/commit/?id=2c3762feddf7e66cf6b64d9058f625a715694a00
- https://access.redhat.com/security/cve/cve-2019-14744
- https://access.redhat.com/support/policy/updates/errata/
- https://access.redhat.com/errata/RHSA-2020:2833
- https://bugzilla.redhat.com/show_bug.cgi?id=1740138
- https://launchpad.net/bugs/cve/CVE-2019-14744
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5IRIKH7ZWXELIQT6WSLV7EG3VTFWKZPD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNHO6FZRYBQ2R3UCFDGS66F6DNNTKCMM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYKLUSSEK3YJOVQDL6K2LKGS3354UH6L/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTFBQRJAU7ITD3TOMPZAUQMYYCAZ6DTX/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIDXQ6CUB5E7Y3MJWCUY4VR42QAE6SCJ/
- https://github.com/KDE/kconfig/commit/5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22
- https://github.com/KDE/kdelibs/commit/2c3762feddf7e66cf6b64d9058f625a715694a00
- https://security-tracker.debian.org/tracker/CVE-2019-14744
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14744
- https://nvd.nist.gov/vuln/detail/CVE-2019-14744
- https://ubuntu.com/security/CVE-2019-14744
Frequently Asked Questions
What is CVE-2019-14744?
CVE-2019-14744 is a vulnerability in KDE Frameworks KConfig that allows for code execution through malicious desktop files and configuration files.
What is the severity of CVE-2019-14744?
CVE-2019-14744 has a severity rating of 7.8, which is considered high.
How does CVE-2019-14744 work?
CVE-2019-14744 works by exploiting the mishandling of .desktop and .directory files in libKF5ConfigCore.so, allowing for code execution with minimal user interaction.
What is the remedy for CVE-2019-14744?
The remedy for CVE-2019-14744 is to update to KDE Frameworks KConfig version 5.61.0 or later.
Where can I find more information about CVE-2019-14744?
You can find more information about CVE-2019-14744 in the references provided: [link1], [link2], [link3].
- collector/nvd-index
- agent/author
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-14744
- collector/launchpad-cve
- source/Launchpad
- agent/severity
- agent/weakness
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/security-tracker-debian
- source/Debian
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/remedy
- agent/softwarecombine
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- agent/trending
- vendor/kde
- canonical/kde kconfig
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/29
- version/fedoraproject fedora/30
- vendor/opensuse
- canonical/opensuse backports sle
- version/opensuse backports sle/15.0-sp1
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/19.04
- vendor/redhat
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/7.0
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/7.0
- package-manager/debian