Debian Long Term Support / LTS Security Information / 2019 / Security Information -- DLA-1890-1 kde4libs

Debian Security Advisory

DLA-1890-1 kde4libs -- LTS security update

Date Reported:

19 Aug 2019

Affected Packages:

kde4libs

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 934268.
In Mitre's CVE dictionary: CVE-2019-14744.

More information:

Dominik Penner discovered a flaw in how KConfig interpreted shell commands in desktop files and other configuration files. An attacker may trick users into installing specially crafted files which could then be used to execute arbitrary code, e.g. a file manager trying to find out the icon for a file or any application using KConfig. Thus the entire feature of supporting shell commands in KConfig entries has been removed.

For Debian 8 Jessie, this problem has been fixed in version 4:4.14.2-5+deb8u3.

We recommend that you upgrade your kde4libs packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS