[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#934267: kconfig: CVE-2019-14744

Source: kconfig
Version: 5.54.0-1
Severity: grave
Tags: patch security upstream
Justification: user security hole
Control: found -1 5.28.0-2
Control: clone -1 -2
Control: reassign -2 src:kde4libs 4:4.14.38-3
Control: retitle -2 kde4libs: CVE-2019-14744
Control: found -2 4:4.14.26-2

Hi,

The following vulnerability was published for kconfig.

CVE-2019-14744[0]:
| In KDE Frameworks KConfig before 5.61.0, malicious desktop files and
| configuration files lead to code execution with minimal user
| interaction. This relates to libKF5ConfigCore.so, and the mishandling
| of .desktop and .directory files, as demonstrated by a shell command
| on an Icon line in a .desktop file.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-14744
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14744
[1] https://kde.org/info/security/advisory-20190807-1.txt
[2] https://cgit.kde.org/kconfig.git/commit/?id=5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22
[3] https://cgit.kde.org/kdelibs.git/commit/?id=2c3762feddf7e66cf6b64d9058f625a715694a00

Regards,
Salvatore
Reply to: