1738901 – kconfig: malicious .desktop files (and others) would execute code

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1738901 - kconfig: malicious .desktop files (and others) would execute code

Summary: kconfig: malicious .desktop files (and others) would execute code

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kf5-kconfig
Sub Component:
Version:	31
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Daniel Vrátil
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:	https://kde.org/info/security/advisor...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-08-08 11:41 UTC by JayJayJazz
Modified:	2020-01-04 20:08 UTC (History)
CC List:	5 users (show)
Fixed In Version:	kf5-kconfig-5.59.0-1.el8.1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-01-04 20:08:05 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description JayJayJazz 2019-08-08 11:41:00 UTC

KDE Project Security Advisory
=============================

Title:          kconfig: malicious .desktop files (and others) would execute code
Risk Rating:    High
CVE:            CVE-2019-14744
Versions:       KDE Frameworks < 5.61.0
Date:           7 August 2019


Overview
========
The syntax Key[$e]=$(shell command) in *.desktop files, .directory files, and configuration files
(typically found in ~/.config) was an intentional feature of KConfig, to allow flexible configuration.
This could however be abused by malicious people to make the users install such files and get code
executed even without intentional action by the user. A file manager trying to find out the icon for
a file or directory could end up executing code, or any application using KConfig could end up
executing malicious code during its startup phase for instance.

After careful consideration, the entire feature of supporting shell commands in KConfig entries has been removed,
because we couldn't find an actual use case for it. If you do have an existing use for the feature, please
contact us so that we can evaluate whether it would be possible to provide a secure solution.

Note that [$e] remains useful for environment variable expansion.

Solution
========

KDE Frameworks 5 users:
- update to kconfig >= 5.61.0
- or apply the following patch to kconfig:
https://cgit.kde.org/kconfig.git/commit/?id=5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22

kdelibs users: apply the following patch to kdelibs 4.14:
https://cgit.kde.org/kdelibs.git/commit/?id=2c3762feddf7e66cf6b64d9058f625a715694a00

Credits
=======
Thanks to Dominik Penner for finding and documenting this issue (we wish however that he would
have contacted us before making the issue public) and to David Faure for the fix.

Comment 1 Rex Dieter 2019-08-08 13:49:38 UTC

KDE SIG is evaluating the patch.

As of this moment, we're holding off backporting anything, as our current default setup utilizes this feature for xdg-user-dir detection (e.g. So your user Desktop gets linked to the output from 'xdg-user-dir DESKTOP'.  same for DOCUMENTS, PICTURE, VIDEOS).  Need a better understanding of how the patch will impact this vs risk of remaining unpatched.

Comment 2 Fedora Update System 2019-08-08 14:25:05 UTC

FEDORA-2019-48b691092f has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-48b691092f

Comment 3 Fedora Update System 2019-08-09 00:52:36 UTC

kf5-kconfig-5.59.0-1.fc30.1 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-48b691092f

Comment 4 Fedora Update System 2019-08-13 01:01:56 UTC

kf5-kconfig-5.59.0-1.fc30.1 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 5 Ben Cotton 2019-08-13 16:54:31 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to '31'.

Comment 6 Ben Cotton 2019-08-13 17:03:52 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to 31.

Comment 7 Fedora Update System 2019-12-16 18:01:42 UTC

FEDORA-EPEL-2019-cbdfeee1a7 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-cbdfeee1a7

Comment 8 Fedora Update System 2019-12-17 04:25:33 UTC

kf5-kconfig-5.59.0-1.el8.1 has been pushed to the Fedora EPEL 8 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-cbdfeee1a7

Comment 9 Fedora Update System 2020-01-04 20:08:05 UTC

kf5-kconfig-5.59.0-1.el8.1 has been pushed to the Fedora EPEL 8 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.