This update fixes CVE-2019-14744 (kconfig arbitrary shell code execution) in the compatibility library kdelibs
4 used by legacy applications (not yet ported to KDE Frameworks 5). The included kde-settings
update removes obsolete settings that conflict with the security fix and are no longer needed (see below for details).
The full list of fixes in the kdelibs
4 build:
kconfig
: malicious .desktop
files (and others) would execute code. KConfig had a well-meaning feature that allowed configuration files to execute arbitrary shell commands. Unfortunately, this could be abused by untrusted .desktop
files to execute arbitrary code as the target user, without the user even running the .desktop
file. Therefore, this update removes that ill-fated feature. (Patch from upstream: kf5-kconfig
fix by David Faure, kdelibs
4 backport by Kai Uwe Broulik.)gamin
file watching service which is unmaintained and buggy and can lead to application lockups. KDirWatch now relies exclusively on inotify
(directly). (Packaging fix by Rex Dieter.)xf86misc
library. (Packaging fix by Kevin Kofler.)The fixes in the kde-settings
build remove settings that were calling xdg-user-dir
, because the above CVE-2019-14744 fix drops support for running shell commands from configuration files from KConfig and because the settings are all no longer needed (because they either only reproduce default behavior or were commented out):
/usr/share/kde-settings/kde-profile/default/share/config/kdeglobals
, /usr/share/kde-settings/kde-profile/minimal/share/config/kdeglobals
: Remove the [Paths]
section. The Desktop
and Documents
directories that were set there are already detected by default by kdelibs
4 (it has native support for xdg-user-dirs and does not need the external xdg-user-dir
command invocation), and now also by kdelibs3 >= 3.5.10-101
(which has native xdg-user-dirs support backported). The Trash
setting was already commented out./usr/share/kde-settings/kde-profile/default/xdg/baloofilerc
: Delete the commented-out folders
setting that attempts to call xdg-user-dir
.
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2019-39d23c7a94
Please login to add feedback.
This update has been submitted for testing by kkofler.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'ignored'.
This update has been pushed to testing.
This update can be pushed to stable now if the maintainer wishes
This update has been submitted for stable by kkofler.
This update has been pushed to stable.