LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 08-07-2019, 12:03 PM   #1
garpu
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 795

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
KDE vulnerability


https://twitter.com/kdecommunity/sta...95896454373376

Fun times. If this affects KDE 5.6 and below, does this mean a version bump in the near future to >5.6?
 
Old 08-07-2019, 01:05 PM   #2
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,585

Rep: Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351Reputation: 2351
Well, it had to happen eventually. The brain-dead morons had to end up writing code for GNU/Linux.
The people responsible should be named, shamed and banished from ever providing code to any project ever. I hate these moronic scum who think they can, somehow, repeat historic failing without causing problems.
 
1 members found this post helpful.
Old 08-07-2019, 08:03 PM   #3
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 17,227
Blog Entries: 27

Rep: Reputation: 5332Reputation: 5332Reputation: 5332Reputation: 5332Reputation: 5332Reputation: 5332Reputation: 5332Reputation: 5332Reputation: 5332Reputation: 5332Reputation: 5332
I have not yet encountered a project that has been 100% free of mistakes.

I think the measure of a project is how it reacts when a mistake is discovered. I would give KDE kudos for warning the community.
 
6 members found this post helpful.
Old 08-08-2019, 03:00 AM   #4
drgibbon
Senior Member
 
Registered: Nov 2014
Distribution: Slackware64 -current
Posts: 1,006

Rep: Reputation: 674Reputation: 674Reputation: 674Reputation: 674Reputation: 674Reputation: 674
Not much a fan of the way 273 put that, but the "vulnerability" is pretty weird. From the advisory:

Quote:
The syntax Key[$e]=$(shell command) in *.desktop files, .directory files, and configuration files
(typically found in ~/.config) was an intentional feature of KConfig, to allow flexible configuration.
This could however be abused by malicious people to make the users install such files and get code
executed even without intentional action by the user. A file manager trying to find out the icon for
a file or directory could end up executing code, or any application using KConfig could end up
executing malicious code during its startup phase for instance.

After careful consideration, the entire feature of supporting shell commands in KConfig entries has been removed,
because we couldn't find an actual use case for it.
So .desktop files etc were designed to just run arbitrary shell code and no one could even come up with a concrete circumstance where that would be useful?
 
Old 08-08-2019, 05:11 AM   #5
GazL
LQ Veteran
 
Registered: May 2008
Posts: 5,794

Rep: Reputation: 3707Reputation: 3707Reputation: 3707Reputation: 3707Reputation: 3707Reputation: 3707Reputation: 3707Reputation: 3707Reputation: 3707Reputation: 3707Reputation: 3707
Why am I not surprised..
 
1 members found this post helpful.
Old 08-08-2019, 06:01 AM   #6
bormant
Member
 
Registered: Jan 2008
Posts: 399

Rep: Reputation: 223Reputation: 223Reputation: 223
Details:
https://gist.githubusercontent.com/z...-injection.txt

Seems to me it can be fixed as in
https://mirror.git.trinitydesktop.or...4eda7805390284
by removing from QString KConfigPrivate::expandString(const QString &value) in kconfig.cpp conditional branch started with:
Code:
  185         // there is at least one $
  186         if (aValue[nDollarPos + 1] == QLatin1Char('(')) {
  187             int nEndPos = nDollarPos + 1;
  188             // the next character is not $
  189             while ((nEndPos <= aValue.length()) && (aValue[nEndPos] != QLatin1Char(')'))) {
  190                 nEndPos++;
  191             }
  192             nEndPos++;
  193             QString cmd = aValue.mid(nDollarPos + 2, nEndPos - nDollarPos - 3);
...
PS. It is already fixed as above, ChangeLog.txt
Code:
Thu Aug  8 05:25:56 UTC 2019
patches/packages/kdelibs-4.14.38-x86_64-1_slack14.2.txz:  Upgraded.
  kconfig: malicious .desktop files (and others) would execute code.
  For more information, see:
    https://mail.kde.org/pipermail/kde-announce/2019-August/000047.html
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14744
  (* Security fix *)
+--------------------------+

Last edited by bormant; 08-08-2019 at 06:33 AM.
 
1 members found this post helpful.
Old 08-08-2019, 06:02 AM   #7
3rensho
Member
 
Registered: Mar 2008
Location: Switzerland
Distribution: Slackware64-current
Posts: 562

Rep: Reputation: 201Reputation: 201Reputation: 201
Probably a silly question but here goes. I'm running the latest Plasma5 and I noticed that Pat released a kdelibs package this morning to address the vulnerability. The same package exists in Plasma5 but as -1 and was built by Eric. I updated the kdelibs package on my installation with Pats -4 version and everything works fine. Is this sufficient to fix the problem for Plasma5 ??
 
Old 08-08-2019, 06:11 AM   #8
Labinnah
Member
 
Registered: May 2014
Location: Łódź, Poland
Distribution: Slackware-current
Posts: 185

Rep: Reputation: 112Reputation: 112
Quote:
Originally Posted by 3rensho View Post
Probably a silly question but here goes. I'm running the latest Plasma5 and I noticed that Pat released a kdelibs package this morning to address the vulnerability. The same package exists in Plasma5 but as -1 and was built by Eric. I updated the kdelibs package on my installation with Pats -4 version and everything works fine. Is this sufficient to fix the problem for Plasma5 ??
No, kdelibs in plasma is provided only for compatibility with old kde4 apps. In plasma affected package is "kconfig".
 
1 members found this post helpful.
Old 08-08-2019, 06:30 AM   #9
3rensho
Member
 
Registered: Mar 2008
Location: Switzerland
Distribution: Slackware64-current
Posts: 562

Rep: Reputation: 201Reputation: 201Reputation: 201
OK, thank you for the clarification.
 
Old 08-08-2019, 07:02 AM   #10
hua
Member
 
Registered: Oct 2006
Location: Slovak Republic
Distribution: Slackware 14.2, current
Posts: 454

Rep: Reputation: 78
KDE4 is affected too? I can see a patch was released for kdelibs-4.14.38...

Edit: oops, I didn't refresh my page before post...

Last edited by hua; 08-08-2019 at 07:04 AM.
 
Old 08-08-2019, 08:57 AM   #11
garpu
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 795

Original Poster
Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
OK, with today's patch, I'm marking this one solved.
 
Old 08-08-2019, 09:56 AM   #12
montagdude
Senior Member
 
Registered: Apr 2016
Distribution: Slackware
Posts: 1,872

Rep: Reputation: 1426Reputation: 1426Reputation: 1426Reputation: 1426Reputation: 1426Reputation: 1426Reputation: 1426Reputation: 1426Reputation: 1426Reputation: 1426
I'm kind of stunned that they would implement such a feature without considering the obvious security risks. Executing arbitrary code is basically #1 on the list of potentially dangerous things to do.
 
3 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
vulnerability scanning using NMAP on CVE-2014-0322 vulnerability,check vulnerable meeiyoke Linux - Security 2 06-06-2014 05:09 PM
vulnerability scanning using NMAP on CVE-2014-0322 vulnerability,check vulnerable . meeiyoke Linux - Newbie 1 06-06-2014 12:14 PM
Linux Kernel Vulnerability jeremy Linux - Security 2 03-15-2005 02:03 AM
KDE Security Advisory: Konqueror Java Vulnerability C0NIk Linux - Security 0 12-21-2004 02:39 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 08:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration