Debian Security Advisory
DLA-1890-1 kde4libs -- LTS security update
- Date Reported:
- 19 Aug 2019
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 934268.
In Mitre's CVE dictionary: CVE-2019-14744.
- More information:
Dominik Penner discovered a flaw in how KConfig interpreted shell commands in desktop files and other configuration files. An attacker may trick users into installing specially crafted files which could then be used to execute arbitrary code, e.g. a file manager trying to find out the icon for a file or any application using KConfig. Thus the entire feature of supporting shell commands in KConfig entries has been removed.
For Debian 8
Jessie, this problem has been fixed in version 4:4.14.2-5+deb8u3.
We recommend that you upgrade your kde4libs packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS