Bug#934267: marked as done (kconfig: CVE-2019-14744)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 09 Aug 2019 19:19:56 +0000
with message-id <E1hwAQe-000CNX-3U@fasolo.debian.org>
and subject line Bug#934267: fixed in kconfig 5.54.0-2
has caused the Debian Bug report #934267,
regarding kconfig: CVE-2019-14744
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
934267: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934267
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: kconfig: CVE-2019-14744
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Thu, 08 Aug 2019 23:29:25 +0200
• Message-id: <[🔎] 156529976563.26833.17857163395878241862.reportbug@eldamar.local>

Source: kconfig
Version: 5.54.0-1
Severity: grave
Tags: patch security upstream
Justification: user security hole
Control: found -1 5.28.0-2
Control: clone -1 -2
Control: reassign -2 src:kde4libs 4:4.14.38-3
Control: retitle -2 kde4libs: CVE-2019-14744
Control: found -2 4:4.14.26-2

Hi,

The following vulnerability was published for kconfig.

CVE-2019-14744[0]:
| In KDE Frameworks KConfig before 5.61.0, malicious desktop files and
| configuration files lead to code execution with minimal user
| interaction. This relates to libKF5ConfigCore.so, and the mishandling
| of .desktop and .directory files, as demonstrated by a shell command
| on an Icon line in a .desktop file.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-14744
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14744
[1] https://kde.org/info/security/advisory-20190807-1.txt
[2] https://cgit.kde.org/kconfig.git/commit/?id=5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22
[3] https://cgit.kde.org/kdelibs.git/commit/?id=2c3762feddf7e66cf6b64d9058f625a715694a00

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 934267-close@bugs.debian.org
• Subject: Bug#934267: fixed in kconfig 5.54.0-2
• From: Maximiliano Curia <maxy@debian.org>
• Date: Fri, 09 Aug 2019 19:19:56 +0000
• Message-id: <E1hwAQe-000CNX-3U@fasolo.debian.org>

Source: kconfig
Source-Version: 5.54.0-2

We believe that the bug you reported is fixed in the latest version of
kconfig, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 934267@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Maximiliano Curia <maxy@debian.org> (supplier of updated kconfig package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 09 Aug 2019 08:00:58 -0300
Source: kconfig
Architecture: source
Version: 5.54.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Maximiliano Curia <maxy@debian.org>
Closes: 934267
Changes:
 kconfig (5.54.0-2) unstable; urgency=medium
 .
   [ Scarlett Moore ]
   * Upstream patch to address CVE-2019-14744.
     https://security-tracker.debian.org/tracker/CVE-2019-14744
     (Closes: 934267)
 .
   [ Maximiliano Curia ]
   * Release to unstable
Checksums-Sha1:
 e54bd8d4bd0653519fe659261e7f852e818340ec 2681 kconfig_5.54.0-2.dsc
 813bc29060a84462a27de4d94329d53a4b72be22 18108 kconfig_5.54.0-2.debian.tar.xz
 a182e5827965ddf054c88450ef5ddc6511fecc93 12122 kconfig_5.54.0-2_source.buildinfo
Checksums-Sha256:
 f9ced1d12b79658104b1ebd5f3aaa050757acb41eb0c1948546457708dff42e9 2681 kconfig_5.54.0-2.dsc
 b080985cd4fff182a3a1139a9893fb3bf88eb12c1c2478bcd1dcef7ec62fb229 18108 kconfig_5.54.0-2.debian.tar.xz
 0147a8dd4aaf1ff5783c56c9fcce54d87f984f6bf36d8b54c0ce8d71a5be98d9 12122 kconfig_5.54.0-2_source.buildinfo
Files:
 6f145fe3a006c1e900ac625c9e687f11 2681 libs optional kconfig_5.54.0-2.dsc
 89175c9f4db112874167b6484f889c85 18108 libs optional kconfig_5.54.0-2.debian.tar.xz
 2e10d2dcb7e1985b07f2a488da6ca88e 12122 libs optional kconfig_5.54.0-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+JIdOnQEyG4RNSIVxxl2mbKbIyoFAl1Nw7IACgkQxxl2mbKb
Iyo4CQ/+Lq2gso8XidCR4Pz6l3Gooyl1z6kAQ6r9t7Myu7AZHzHi5ury662r6CiA
NmYKG6T20S/W1HajFsy0ogeKJtFWV6KlLPyuIlOB+xMvbUvX+R2VXxz/yBM8/0uC
25MtEAY/nJIrM23deQsjUFOlJyVmTOZzvybPQfVr66Wc9oxZAhTGRFozHKxtSvLD
FbOmOM3AyK1+szXRG4YRgUfm6FETABc7xCS4MwN7/jTTOWc4wN1B/sufTk/GSCnx
TT6NR8wBFP2Jt1+OlfcAC+GPa9YFZ5m+m6xXRzocvkcRv/pOSclePytG41IVIVPS
qVDki54byYK6kx/BFOLyW99E8vhhxShW7obr6KhDOL0WNlHsNwJhZVHVCT9OGgtf
gM9bQfydgcfIEUudENHfWCGPiAora2HT8diNok2ZgoV0Zvs7QTDxHX6r9FCbgF88
Wj+Lc9yn6Tf5TBmws1GLE9PekjYs6e53XyPjemgfwB2HyU9E5HORMX2kxOOezTyw
1R5lB2SaoltM5GWSGWhFXYt9XBrSH3jDcHYrFfWyX0MzvPrVabJB8SGMPCRYhf8r
n+3lBS4Q3l5QsuHXoJsPmOf6bekwfy7OQkeOxwE0ZqrYjW3UNTMXftzXAyEg7e5/
FZLqJS9UvqXtjA+JxI7ZoqvD//r/12F+kgscMRRBl9LFpjog5Lk=
=JXh2
-----END PGP SIGNATURE-----

--- End Message ---