PublicDateAtUSN: 2019-08-07 Candidate: CVE-2019-14744 PublicDate: 2019-08-07 15:15:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14744 https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt https://kde.org/info/security/advisory-20190807-1.txt https://www.zdnet.com/article/unpatched-kde-vulnerability-disclosed-on-twitter/ https://phabricator.kde.org/D22979 https://ubuntu.com/security/notices/USN-4100-1 Description: In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file. Ubuntu-Description: It was discovered that KConfig and KDE libraries have a vulnerability where an attacker could hide malicious code under desktop and configuration files. Notes: Bugs: https://bugs.launchpad.net/ubuntu/+source/kconfig/+bug/1839432 Priority: medium Discovered-by: Assigned-to: CVSS: nvd: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [7.8 HIGH] Patches_kde4libs: upstream_kde4libs: needs-triage precise/esm_kde4libs: DNE trusty_kde4libs: ignored (out of standard support) trusty/esm_kde4libs: needs-triage xenial_kde4libs: released (4:4.14.16-0ubuntu3.3) bionic_kde4libs: released (4:4.14.38-0ubuntu3.1) disco_kde4libs: released (4:4.14.38-0ubuntu6.1) eoan_kde4libs: DNE focal_kde4libs: DNE groovy_kde4libs: DNE hirsute_kde4libs: DNE impish_kde4libs: DNE jammy_kde4libs: DNE devel_kde4libs: DNE Patches_kconfig: upstream: https://phabricator.kde.org/R237:5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22 upstream_kconfig: needs-triage precise/esm_kconfig: DNE trusty_kconfig: ignored (out of standard support) trusty/esm_kconfig: DNE xenial_kconfig: released (5.18.0-0ubuntu1.1) bionic_kconfig: released (5.44.0-0ubuntu1.1) disco_kconfig: released (5.56.0-0ubuntu1.1) eoan_kconfig: not-affected (5.60.0-0ubuntu2) focal_kconfig: not-affected (5.60.0-0ubuntu2) groovy_kconfig: not-affected (5.60.0-0ubuntu2) hirsute_kconfig: not-affected (5.60.0-0ubuntu2) impish_kconfig: not-affected (5.60.0-0ubuntu2) jammy_kconfig: not-affected (5.60.0-0ubuntu2) devel_kconfig: not-affected (5.60.0-0ubuntu2)