CVE-2019-14744: OS Command Injection
First published: Wed Aug 07 2019(Updated: )
In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/kconfig | 5.78.0-4 5.103.0-2 5.115.0-2 | |
| KDE KConfig | <5.61.0 | |
| Debian Linux | =9.0 | |
| Debian Linux | =10.0 | |
| Red Hat Fedora | =29 | |
| Red Hat Fedora | =30 | |
| openSUSE Backports | =15.0-sp1 | |
| Ubuntu | =16.04 | |
| Ubuntu | =18.04 | |
| Ubuntu | =19.04 | |
| Red Hat Enterprise Linux Desktop | =7.0 | |
| Red Hat Enterprise Linux Server | =7.0 | |
| Red Hat Enterprise Linux Workstation | =7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00013.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00016.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00034.html
- http://packetstormsecurity.com/files/153981/Slackware-Security-Advisory-kdelibs-Updates.html
- https://access.redhat.com/errata/RHSA-2019:2606
- https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt
- https://lists.debian.org/debian-lts-announce/2019/08/msg00023.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IRIKH7ZWXELIQT6WSLV7EG3VTFWKZPD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNHO6FZRYBQ2R3UCFDGS66F6DNNTKCMM/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UYKLUSSEK3YJOVQDL6K2LKGS3354UH6L/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTFBQRJAU7ITD3TOMPZAUQMYYCAZ6DTX/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YIDXQ6CUB5E7Y3MJWCUY4VR42QAE6SCJ/
- https://seclists.org/bugtraq/2019/Aug/12
- https://seclists.org/bugtraq/2019/Aug/9
- https://security.gentoo.org/glsa/201908-07
- https://usn.ubuntu.com/4100-1/
- https://www.debian.org/security/2019/dsa-4494
- https://www.zdnet.com/article/unpatched-kde-vulnerability-disclosed-on-twitter/
- https://kde.org/info/security/advisory-20190807-1.txt
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1740140
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1740141
- https://bodhi.fedoraproject.org/updates/FEDORA-2019-f9f78895c3
- https://bodhi.fedoraproject.org/updates/FEDORA-2019-9f2ee52c88
- https://cgit.kde.org/kconfig.git/commit/?id=5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22
- https://cgit.kde.org/kdelibs.git/commit/?id=2c3762feddf7e66cf6b64d9058f625a715694a00
- https://access.redhat.com/security/cve/cve-2019-14744
- https://access.redhat.com/support/policy/updates/errata/
- https://access.redhat.com/errata/RHSA-2020:2833
- https://bugzilla.redhat.com/show_bug.cgi?id=1740138
- https://launchpad.net/bugs/cve/CVE-2019-14744
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5IRIKH7ZWXELIQT6WSLV7EG3VTFWKZPD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNHO6FZRYBQ2R3UCFDGS66F6DNNTKCMM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYKLUSSEK3YJOVQDL6K2LKGS3354UH6L/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTFBQRJAU7ITD3TOMPZAUQMYYCAZ6DTX/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIDXQ6CUB5E7Y3MJWCUY4VR42QAE6SCJ/
- https://github.com/KDE/kconfig/commit/5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22
- https://github.com/KDE/kdelibs/commit/2c3762feddf7e66cf6b64d9058f625a715694a00
- https://security-tracker.debian.org/tracker/CVE-2019-14744
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14744
- https://nvd.nist.gov/vuln/detail/CVE-2019-14744
- https://ubuntu.com/security/CVE-2019-14744
Frequently Asked Questions
What is CVE-2019-14744?
CVE-2019-14744 is a vulnerability in KDE Frameworks KConfig that allows for code execution through malicious desktop files and configuration files.
What is the severity of CVE-2019-14744?
CVE-2019-14744 has a severity rating of 7.8, which is considered high.
How does CVE-2019-14744 work?
CVE-2019-14744 works by exploiting the mishandling of .desktop and .directory files in libKF5ConfigCore.so, allowing for code execution with minimal user interaction.
What is the remedy for CVE-2019-14744?
The remedy for CVE-2019-14744 is to update to KDE Frameworks KConfig version 5.61.0 or later.
Where can I find more information about CVE-2019-14744?
You can find more information about CVE-2019-14744 in the references provided: [link1], [link2], [link3].
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-14744
- collector/launchpad-cve
- source/Launchpad
- agent/severity
- agent/weakness
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/remedy
- agent/description
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- package-manager/debian
- vendor/kde
- canonical/kde kconfig
- vendor/debian
- canonical/debian linux
- version/debian linux/9.0
- version/debian linux/10.0
- vendor/fedoraproject
- canonical/red hat fedora
- version/red hat fedora/29
- version/red hat fedora/30
- vendor/opensuse
- canonical/opensuse backports
- version/opensuse backports/15.0-sp1
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/16.04
- version/ubuntu/18.04
- version/ubuntu/19.04
- vendor/redhat
- canonical/red hat enterprise linux desktop
- version/red hat enterprise linux desktop/7.0
- canonical/red hat enterprise linux server
- version/red hat enterprise linux server/7.0
- canonical/red hat enterprise linux workstation
- version/red hat enterprise linux workstation/7.0