Ubuntu
kconfig package

[CVE] malicious .desktop files (and others) would execute code

Bug #1839432 reported by Rik Mills on 2019-08-08

268

This bug affects 2 people

	Status	Importance	Assigned to
kconfig (Ubuntu)	Fix Released	Medium	Unassigned
Xenial	Fix Released	Medium	Unassigned
Bionic	Fix Released	Medium	Unassigned
Disco	Fix Released	Medium	Unassigned
kde4libs (Ubuntu)	Fix Released	Low	Unassigned
Xenial	Fix Released	Low	Unassigned
Bionic	Fix Released	Low	Unassigned
Disco	Fix Released	Low	Unassigned

Bug Description

KDE Project Security Advisory
=============================

Title: kconfig: malicious .desktop files (and others) would execute code
Risk Rating: High
CVE: CVE-2019-14744
Versions: KDE Frameworks < 5.61.0
Date: 7 August 2019

Overview
========
The syntax Key[$e]=$(shell command) in *.desktop files, .directory files, and configuration files
(typically found in ~/.config) was an intentional feature of KConfig, to allow flexible configuration.
This could however be abused by malicious people to make the users install such files and get code
executed even without intentional action by the user. A file manager trying to find out the icon for
a file or directory could end up executing code, or any application using KConfig could end up
executing malicious code during its startup phase for instance.

After careful consideration, the entire feature of supporting shell commands in KConfig entries has been removed,
because we couldn't find an actual use case for it. If you do have an existing use for the feature, please
contact us so that we can evaluate whether it would be possible to provide a secure solution.

Note that [$e] remains useful for environment variable expansion.

Solution
========
KDE Frameworks 5 users:
- update to kconfig >= 5.61.0
- or apply the following patch to kconfig:
https://cgit.kde.org/kconfig.git/commit/?id=5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22

kdelibs users: apply the following patch to kdelibs 4.14:
https://cgit.kde.org/kdelibs.git/commit/?id=2c3762feddf7e66cf6b64d9058f625a715694a00

Credits
=======
Thanks to Dominik Penner for finding and documenting this issue (we wish however that he would
have contacted us before making the issue public) and to David Faure for the fix.

Tags:

CVE References

Revision history for this message

Rik Mills (rikmills) wrote on 2019-08-09:

kconfig-disco-CVE-2019-14744.debdiff Edit (6.7 KiB, text/plain)

Debdiff with fix for Disco archive

Revision history for this message

Rik Mills (rikmills) wrote on 2019-08-09:

kconfig-bionic-CVE-2019-14744.debdiff Edit (6.5 KiB, text/plain)

Debdiff with fix for Bionic archive

Revision history for this message

Rik Mills (rikmills) wrote on 2019-08-09:

kconfig-xenial-CVE-2019-14744.debdiff Edit (6.4 KiB, text/plain)

Debdiff with kconfig fix for Xenial archive

Changed in kconfig (Ubuntu Xenial):
status:	New → Confirmed
Changed in kconfig (Ubuntu Bionic):
status:	New → Confirmed
Changed in kconfig (Ubuntu Disco):
status:	New → Confirmed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-08-09:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in kconfig (Ubuntu):
status:	New → Confirmed
Changed in kde4libs (Ubuntu Bionic):
status:	New → Confirmed
Changed in kde4libs (Ubuntu Disco):
status:	New → Confirmed
Changed in kde4libs (Ubuntu Xenial):
status:	New → Confirmed
Changed in kde4libs (Ubuntu):
status:	New → Confirmed

Ubuntu Foundations Team Bug Bot (crichton) on 2019-08-09

tags:

added: patch

Revision history for this message

Rik Mills (rikmills) wrote on 2019-08-09:

Testing done for Kconfig:

- PPA packages prepared: https://launchpad.net/~kubuntu-ppa/+archive/ubuntu/experimental
- Tested on affected releases using the examples reported by the discloser.
- Confirmed that fix negates the vulnerability in those cases.
- Patched systems seem otherwise behave normally.

Changed in kde4libs (Ubuntu):
status:	Confirmed → New
Changed in kde4libs (Ubuntu Xenial):
status:	Confirmed → New
Changed in kde4libs (Ubuntu Bionic):
status:	Confirmed → New
Changed in kde4libs (Ubuntu Disco):
status:	Confirmed → New

Revision history for this message

Rik Mills (rikmills) wrote on 2019-08-09:

#10

kde4libs currently FTBFS in Eoan, so that fix is ongoing. However, this is much lower priority with little way to trigger the vulnerability on current KF5 desktops

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-08-09:

#11

This bug was fixed in the package kconfig - 5.60.0-0ubuntu2

---------------
kconfig (5.60.0-0ubuntu2) eoan; urgency=medium

-- Rik Mills <email address hidden> Thu, 08 Aug 2019 09:13:45 +0100

Changed in kconfig (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

Steve Beattie (sbeattie) wrote on 2019-08-09:

#12

Thanks Rik, I've reviewed your kconfig fixes and uploaded them to the ubuntu-security-proposed ppa (https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/) for people to test.

Changed in kconfig (Ubuntu Xenial):
status:	Confirmed → In Progress
Changed in kconfig (Ubuntu Bionic):
status:	Confirmed → In Progress
Changed in kconfig (Ubuntu Disco):
status:	Confirmed → In Progress

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-08-12:

#13

This bug was fixed in the package kconfig - 5.44.0-0ubuntu1.1

---------------
kconfig (5.44.0-0ubuntu1.1) bionic-security; urgency=medium

-- Rik Mills <email address hidden> Fri, 09 Aug 2019 08:24:44 +0100

Changed in kconfig (Ubuntu Bionic):
status:	In Progress → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-08-12:

#14

This bug was fixed in the package kconfig - 5.56.0-0ubuntu1.1

---------------
kconfig (5.56.0-0ubuntu1.1) disco-security; urgency=medium

-- Rik Mills <email address hidden> Fri, 09 Aug 2019 08:05:33 +0100

Changed in kconfig (Ubuntu Disco):
status:	In Progress → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-08-12:

#15

This bug was fixed in the package kconfig - 5.18.0-0ubuntu1.1

---------------
kconfig (5.18.0-0ubuntu1.1) xenial-security; urgency=medium

-- Rik Mills <email address hidden> Fri, 09 Aug 2019 08:29:29 +0100

Changed in kconfig (Ubuntu Xenial):
status:	In Progress → Fix Released

Mathew Hodson (mhodson) on 2019-08-14

Changed in kconfig (Ubuntu):
importance:	Undecided → Medium
Changed in kconfig (Ubuntu Xenial):
importance:	Undecided → Medium
Changed in kconfig (Ubuntu Bionic):
importance:	Undecided → Medium
Changed in kconfig (Ubuntu Disco):
importance:	Undecided → Medium
Changed in kde4libs (Ubuntu):
importance:	Undecided → Low
Changed in kde4libs (Ubuntu Xenial):
importance:	Undecided → Low
Changed in kde4libs (Ubuntu Bionic):
importance:	Undecided → Low
Changed in kde4libs (Ubuntu Disco):
importance:	Undecided → Low

Mathew Hodson (mhodson) on 2019-08-15

information type:

Public → Public Security

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-08-15:

#16

This bug was fixed in the package kde4libs - 4:4.14.38-0ubuntu7

---------------
kde4libs (4:4.14.38-0ubuntu7) eoan; urgency=medium

  * SECURITY UPDATE: malicious .desktop files (and others) would execute
    code (LP: #1839432).
    - debian/patches/CVE-2019-14744.diff: removes the affected feature as
      currently 'unused'.
    - CVE-2019-14744
  * Build against OpenSSL 1.1:
    - use Fedora-provided patch backport by Daniel Vrátil and Wolfgang Bauer
    - In Build-Depends, replace libssl1.0-dev by "libssl-dev (>= 1.1)"
  * Mark an additional symbol as optional on ppc64el.

-- Rik Mills <email address hidden> Thu, 15 Aug 2019 14:10:10 +0100

Changed in kde4libs (Ubuntu):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-08-16:

#17

This bug was fixed in the package kde4libs - 4:4.14.38-0ubuntu3.1

---------------
kde4libs (4:4.14.38-0ubuntu3.1) bionic-security; urgency=medium

-- Paulo Flabiano Smorigo <email address hidden> Mon, 12 Aug 2019 12:04:10 -0300

Changed in kde4libs (Ubuntu Bionic):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-08-16:

#18

This bug was fixed in the package kde4libs - 4:4.14.38-0ubuntu6.1

---------------
kde4libs (4:4.14.38-0ubuntu6.1) disco-security; urgency=medium

  * SECURITY UPDATE: malicious .desktop files (and others) would execute
    code (LP: #1839432).
    - debian/patches/CVE-2019-14744.patch: remove support for $(...) in
      config keys with [$e] marker.
    - debian/patches/kdelibs-4.14.38-openssl-1.1.patch: Make kssl compile
      against OpenSSL 1.1.0
    - CVE-2019-14744

-- Paulo Flabiano Smorigo <email address hidden> Mon, 12 Aug 2019 10:53:32 -0300

Changed in kde4libs (Ubuntu Disco):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-08-16:

#19

This bug was fixed in the package kde4libs - 4:4.14.16-0ubuntu3.3

---------------
kde4libs (4:4.14.16-0ubuntu3.3) xenial-security; urgency=medium

  * SECURITY UPDATE: Directory traversal vulnerability.
    - debian/patches/CVE-2016-6232.patch: extraction location to be in
      subfolder.
    - CVE-2016-6232
  * SECURITY UPDATE: malicious .desktop files (and others) would execute
    code (LP: #1839432).
    - debian/patches/CVE-2019-14744.patch: remove support for $(...) in
      config keys with [$e] marker.
    - CVE-2019-14744

-- Paulo Flabiano Smorigo <email address hidden> Mon, 12 Aug 2019 15:09:56 -0300

Changed in kde4libs (Ubuntu Xenial):
status:	New → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntukconfig package

[CVE] malicious .desktop files (and others) would execute code

Bug Description

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
kconfig package