REDHAT-BUG-1740138
First published: Mon Aug 12 2019(Updated: )
In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file. External References: <a href="https://kde.org/info/security/advisory-20190807-1.txt">https://kde.org/info/security/advisory-20190807-1.txt</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| KDE KConfig | <5.61.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://kde.org/info/security/advisory-20190807-1.txt
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1740140
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1740141
- https://bodhi.fedoraproject.org/updates/FEDORA-2019-f9f78895c3
- https://bodhi.fedoraproject.org/updates/FEDORA-2019-9f2ee52c88
- https://cgit.kde.org/kconfig.git/commit/?id=5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22
- https://cgit.kde.org/kdelibs.git/commit/?id=2c3762feddf7e66cf6b64d9058f625a715694a00
- https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt
- https://access.redhat.com/security/cve/cve-2019-14744
- https://access.redhat.com/support/policy/updates/errata/
- https://access.redhat.com/errata/RHSA-2019:2606
- https://access.redhat.com/errata/RHSA-2020:2833
- https://bugzilla.redhat.com/show_bug.cgi?id=1740138
Frequently Asked Questions
What is the severity of REDHAT-BUG-1740138?
The severity of REDHAT-BUG-1740138 is classified as critical due to the potential for code execution with minimal user interaction.
How do I fix REDHAT-BUG-1740138?
To fix REDHAT-BUG-1740138, upgrade KDE KConfig to a version higher than 5.61.0.
Who is affected by REDHAT-BUG-1740138?
Users running KDE KConfig versions prior to 5.61.0 are affected by REDHAT-BUG-1740138.
What types of files are involved in the vulnerability REDHAT-BUG-1740138?
REDHAT-BUG-1740138 involves malicious .desktop and .directory files.
Is user interaction required for the exploit in REDHAT-BUG-1740138?
Yes, REDHAT-BUG-1740138 requires minimal user interaction for the exploit to be triggered.
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-14744
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/severity
- agent/references
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/kde
- canonical/kde kconfig