CVE-2019-14744

Published: 7 August 2019

In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.

From the Ubuntu security team

It was discovered that KConfig and KDE libraries have a vulnerability where an attacker could hide malicious code under desktop and configuration files.

Priority

CVSS 3 base score: 7.8

Status

Package	Release	Status
kconfig Launchpad, Ubuntu, Debian	bionic	Released (5.44.0-0ubuntu1.1)
	disco	Released (5.56.0-0ubuntu1.1)
	eoan	Not vulnerable (5.60.0-0ubuntu2)
	focal	Not vulnerable (5.60.0-0ubuntu2)
	groovy	Not vulnerable (5.60.0-0ubuntu2)
	hirsute	Not vulnerable (5.60.0-0ubuntu2)
	impish	Not vulnerable (5.60.0-0ubuntu2)
	jammy	Not vulnerable (5.60.0-0ubuntu2)
	precise	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Released (5.18.0-0ubuntu1.1)
	Patches: upstream: https://phabricator.kde.org/R237:5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22
kde4libs Launchpad, Ubuntu, Debian	bionic	Released (4:4.14.38-0ubuntu3.1)
	disco	Released (4:4.14.38-0ubuntu6.1)
	eoan	Does not exist
	focal	Does not exist
	groovy	Does not exist
	hirsute	Does not exist
	impish	Does not exist
	jammy	Does not exist
	precise	Does not exist
	trusty	Needs triage
	upstream	Needs triage
	xenial	Released (4:4.14.16-0ubuntu3.3)

References

Bugs

https://bugs.launchpad.net/ubuntu/+source/kconfig/+bug/1839432

CVE-2019-14744

From the Ubuntu security team

Medium

Status

References

Bugs

Join the discussion

Canonical is offering Extended Security Maintenance

Further reading