Vulnerability CVE-2019-14744: Information

Description

In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.

Severity: HIGH (7.8) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2019-14744
Published: Aug. 7, 2019
Modified: Nov. 7, 2023
Error type identifier: CWE-78

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
kde4libsp94.14.38-alt54.14.38-alt7ALT-PU-2019-2413-1235763Fixed
kde4libsp84.14.38-alt54.14.38-alt5ALT-PU-2019-2447-1235765Fixed
kde4libsc9f24.14.38-alt54.14.38-alt5ALT-PU-2019-2413-1235763Fixed
kf5-kconfigsisyphus5.61.0-alt15.116.0-alt1ALT-PU-2019-2470-1236009Fixed
kf5-kconfigp105.61.0-alt15.115.0-alt1ALT-PU-2019-2470-1236009Fixed
kf5-kconfigp95.61.0-alt15.70.0-alt1ALT-PU-2019-2476-1236012Fixed
kf5-kconfigp85.49.0-alt25.49.0-alt2ALT-PU-2019-2448-1235750Fixed
kf5-kconfigc10f15.61.0-alt15.104.0-alt1ALT-PU-2019-2470-1236009Fixed
kf5-kconfigc9f25.61.0-alt15.70.0-alt1ALT-PU-2019-2476-1236012Fixed
kf5-kconfigp115.61.0-alt15.116.0-alt1ALT-PU-2019-2470-1236009Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt
  • Exploit
  • Third Party Advisory
https://www.zdnet.com/article/unpatched-kde-vulnerability-disclosed-on-twitter/
  • Press/Media Coverage
  • Third Party Advisory
20190808 [slackware-security] kdelibs (SSA:2019-220-01)
  • Mailing List
  • Third Party Advisory
http://packetstormsecurity.com/files/153981/Slackware-Security-Advisory-kdelibs-Updates.html
  • Patch
  • Third Party Advisory
  • VDB Entry
DSA-4494
  • Third Party Advisory
20190812 [SECURITY] [DSA 4494-1] kconfig security update
  • Mailing List
  • Third Party Advisory
openSUSE-SU-2019:1851
  • Mailing List
  • Patch
  • Third Party Advisory
openSUSE-SU-2019:1855
  • Mailing List
  • Patch
  • Third Party Advisory
openSUSE-SU-2019:1898
  • Mailing List
  • Third Party Advisory
GLSA-201908-07
  • Third Party Advisory
[debian-lts-announce] 20190818 [SECURITY] [DLA 1890-1] kde4libs security update
  • Mailing List
  • Third Party Advisory
USN-4100-1
  • Third Party Advisory
RHSA-2019:2606
  • Third Party Advisory
FEDORA-2019-48b691092f
    FEDORA-2019-a746ac9c89
      FEDORA-2019-f9f78895c3
        FEDORA-2019-9f2ee52c88
          FEDORA-2019-39d23c7a94

              1. Configuration 1

                cpe:2.3:a:kde:kconfig:*:*:*:*:*:*:*:*
                End excliding
                5.61.0

                Configuration 2

                cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
                cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

                Configuration 3

                cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
                cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

                Configuration 4

                cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*

                Configuration 5

                cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
                cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
                cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*

                Configuration 6

                cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
                cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
                cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
            VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
            Version: v24.5.3
            Back to top