--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2019-39d23c7a94
2019-08-30 00:49:12.870421
--------------------------------------------------------------------------------
Name : kdelibs
Product : Fedora 29
Version : 4.14.38
Release : 15.fc29
URL :
http://www.kde.org/
Summary : KDE Libraries
Description :
Libraries for KDE 4.
--------------------------------------------------------------------------------
Update Information:
This update fixes **CVE-2019-14744 (kconfig arbitrary shell code execution)** in
the compatibility library `kdelibs` 4 used by legacy applications (not yet
ported to KDE Frameworks 5). The included `kde-settings` update removes obsolete
settings that conflict with the security fix and are no longer needed (see below
for details). The full list of fixes in the `kdelibs` 4 build: * fixes
**CVE-2019-14744 (#1740138, #1740140)** ��� `kconfig`: malicious `.desktop` files
(and others) would execute code. KConfig had a well-meaning feature that allowed
configuration files to execute arbitrary shell commands. Unfortunately, this
could be abused by untrusted `.desktop` files to execute arbitrary code as the
target user, without the user even running the `.desktop` file. Therefore, this
update removes that ill-fated feature. (Patch from upstream: `kf5-kconfig` fix
by David Faure, `kdelibs` 4 backport by Kai Uwe Broulik.) * fixes **#917848** ���
removes support for the `gamin` file watching service which is unmaintained and
buggy and can lead to application lockups. KDirWatch now relies exclusively on
`inotify` (directly). (Packaging fix by Rex Dieter.) * fixes **#1730770** ���
removes an unused dependency on the obsolete `xf86misc` library. (Packaging fix
by Kevin Kofler.) The fixes in the `kde-settings` build remove settings that
were calling `xdg-user-dir`, because the above CVE-2019-14744 fix drops support
for running shell commands from configuration files from KConfig and because the
settings are all no longer needed (because they either only reproduce default
behavior or were commented out): * `/usr/share/kde-settings/kde-
profile/default/share/config/kdeglobals`, `/usr/share/kde-settings/kde-
profile/minimal/share/config/kdeglobals`: Remove the `[Paths]` section. The
`Desktop` and `Documents` directories that were set there are already detected
by default by `kdelibs` 4 (it has native support for xdg-user-dirs and does not
need the external `xdg-user-dir` command invocation), and now also by `kdelibs3
= 3.5.10-101` (which has native xdg-user-dirs support backported). The
`Trash`
setting was already commented out. * `/usr/share/kde-settings/kde-
profile/default/xdg/baloofilerc`: Delete the commented-out `folders` setting
that attempts to call `xdg-user-dir`.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Aug 12 2019 Kevin Kofler <Kevin(a)tigcc.ticalc.org> - 6:4.14.38-15
- apply upstream fix for CVE-2019-14744 (KConfig shell code execution, #1740140)
* Thu Jul 25 2019 Fedora Release Engineering <releng(a)fedoraproject.org> -
6:4.14.38-14
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Jul 17 2019 Kevin Kofler <Kevin(a)tigcc.ticalc.org> - 6:4.14.38-13
- drop obsolete xf86misc dependency (#1730770)
* Thu May 16 2019 Rex Dieter <rdieter(a)fedoraproject.org> - 6:4.14.38-12
- drop gamin support, too buggy (#917848)
* Thu Apr 11 2019 Richard Shaw <hobbes1069(a)gmail.com> - 6:4.14.38-11
- Rebuild for OpenEXR 2.3.0.
* Fri Feb 1 2019 Fedora Release Engineering <releng(a)fedoraproject.org> -
6:4.14.38-10
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1740138 - CVE-2019-14744 kdelibs: malicious desktop files and configuration
files lead to code execution with minimal user interaction
https://bugzilla.redhat.com/show_bug.cgi?id=1740138
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2019-39d23c7a94' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------