Security advisory: kconfig: malicious .desktop files (and others) would execute code
faure at kde.org
Wed Aug 7 22:19:16 BST 2019
KDE Project Security Advisory
Title: kconfig: malicious .desktop files (and others) would execute code
Risk Rating: High
Versions: KDE Frameworks < 5.61.0
Date: 7 August 2019
The syntax Key[$e]=$(shell command) in *.desktop files, .directory files, and configuration files
(typically found in ~/.config) was an intentional feature of KConfig, to allow flexible configuration.
This could however be abused by malicious people to make the users install such files and get code
executed even without intentional action by the user. A file manager trying to find out the icon for
a file or directory could end up executing code, or any application using KConfig could end up
executing malicious code during its startup phase for instance.
After careful consideration, the entire feature of supporting shell commands in KConfig entries has been removed,
because we couldn't find an actual use case for it. If you do have an existing use for the feature, please
contact us so that we can evaluate whether it would be possible to provide a secure solution.
Note that [$e] remains useful for environment variable expansion.
KDE Frameworks 5 users:
- update to kconfig >= 5.61.0
- or apply the following patch to kconfig:
kdelibs users: apply the following patch to kdelibs 4.14:
Thanks to Dominik Penner for finding and documenting this issue (we wish however that he would
have contacted us before making the issue public) and to David Faure for the fix.
David Faure, faure at kde.org, http://www.davidfaure.fr
Working on KDE Frameworks 5
More information about the kde-announce