Bug#934267: kconfig: CVE-2019-14744

To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 934267@bugs.debian.org
Subject: Bug#934267: kconfig: CVE-2019-14744
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Fri, 9 Aug 2019 00:01:08 +0200
Message-id: <[🔎] 20190808220108.GA22898@pisco.westfalen.local>
Reply-to: Moritz Mühlenhoff <jmm@inutil.org>, 934267@bugs.debian.org
In-reply-to: <[🔎] 156529976563.26833.17857163395878241862.reportbug@eldamar.local>
References: <[🔎] 156529976563.26833.17857163395878241862.reportbug@eldamar.local> <[🔎] 156529976563.26833.17857163395878241862.reportbug@eldamar.local>

On Thu, Aug 08, 2019 at 11:29:25PM +0200, Salvatore Bonaccorso wrote:
> Source: kconfig
> Version: 5.54.0-1
> Severity: grave
> Tags: patch security upstream
> Justification: user security hole
> Control: found -1 5.28.0-2
> Control: clone -1 -2
> Control: reassign -2 src:kde4libs 4:4.14.38-3
> Control: retitle -2 kde4libs: CVE-2019-14744
> Control: found -2 4:4.14.26-2
> 
> Hi,
> 
> The following vulnerability was published for kconfig.
> 
> CVE-2019-14744[0]:
> | In KDE Frameworks KConfig before 5.61.0, malicious desktop files and
> | configuration files lead to code execution with minimal user
> | interaction. This relates to libKF5ConfigCore.so, and the mishandling
> | of .desktop and .directory files, as demonstrated by a shell command
> | on an Icon line in a .desktop file.

JFTR, I've prepared updates for Stretch/Buster, which should go out tomorrow.

Cheers,
        Moritz

Reply to:

References:
- Bug#934267: kconfig: CVE-2019-14744
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Processed: fixed 934267 in 5.28.0-2+deb9u1
Next by Date: Processed: fixed 934267 in 5.54.0-1+deb10u1
Previous by thread: Processed: kconfig: CVE-2019-14744
Next by thread: Bug#934267: marked as done (kconfig: CVE-2019-14744)
Index(es):
- Date
- Thread