-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2019-a746ac9c89 2019-08-14 01:04:58.755609 --------------------------------------------------------------------------------
Name : kdelibs Product : Fedora 30 Version : 4.14.38 Release : 15.fc30 URL : http://www.kde.org/ Summary : KDE Libraries Description : Libraries for KDE 4.
-------------------------------------------------------------------------------- Update Information:
This update fixes **CVE-2019-14744 (kconfig arbitrary shell code execution)** in the compatibility library `kdelibs` 4 used by legacy applications (not yet ported to KDE Frameworks 5). The included `kde-settings` update removes obsolete settings that conflict with the security fix and are no longer needed (see below for details). The full list of fixes in the `kdelibs` 4 build: * fixes **CVE-2019-14744 (#1740138, #1740140)** ��� `kconfig`: malicious `.desktop` files (and others) would execute code. KConfig had a well-meaning feature that allowed configuration files to execute arbitrary shell commands. Unfortunately, this could be abused by untrusted `.desktop` files to execute arbitrary code as the target user, without the user even running the `.desktop` file. Therefore, this update removes that ill-fated feature. (Patch from upstream: `kf5-kconfig` fix by David Faure, `kdelibs` 4 backport by Kai Uwe Broulik.) * fixes **#917848** ��� removes support for the `gamin` file watching service which is unmaintained and buggy and can lead to application lockups. KDirWatch now relies exclusively on `inotify` (directly). (Packaging fix by Rex Dieter.) * fixes **#1730770** ��� removes an unused dependency on the obsolete `xf86misc` library. (Packaging fix by Kevin Kofler.) The fixes in the `kde-settings` build remove settings that were calling `xdg-user-dir`, because the above CVE-2019-14744 fix drops support for running shell commands from configuration files from KConfig and because the settings are all no longer needed (because they either only reproduce default behavior or were commented out): * `/usr/share/kde-settings/kde- profile/default/share/config/kdeglobals`, `/usr/share/kde-settings/kde- profile/minimal/share/config/kdeglobals`: Remove the `[Paths]` section. The `Desktop` and `Documents` directories that were set there are already detected by default by `kdelibs` 4 (it has native support for xdg-user-dirs and does not need the external `xdg-user-dir` command invocation), and now also by `kdelibs3
= 3.5.10-101` (which has native xdg-user-dirs support backported). The `Trash`
setting was already commented out. * `/usr/share/kde-settings/kde- profile/default/xdg/baloofilerc`: Delete the commented-out `folders` setting that attempts to call `xdg-user-dir`. -------------------------------------------------------------------------------- ChangeLog:
* Mon Aug 12 2019 Kevin Kofler Kevin@tigcc.ticalc.org - 6:4.14.38-15 - apply upstream fix for CVE-2019-14744 (KConfig shell code execution, #1740140) * Thu Jul 25 2019 Fedora Release Engineering releng@fedoraproject.org - 6:4.14.38-14 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild * Wed Jul 17 2019 Kevin Kofler Kevin@tigcc.ticalc.org - 6:4.14.38-13 - drop obsolete xf86misc dependency (#1730770) * Thu May 16 2019 Rex Dieter rdieter@fedoraproject.org - 6:4.14.38-12 - drop gamin support, too buggy (#917848) * Thu Apr 11 2019 Richard Shaw hobbes1069@gmail.com - 6:4.14.38-11 - Rebuild for OpenEXR 2.3.0. -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1740138 - CVE-2019-14744 kdelibs: malicious desktop files and configuration files lead to code execution with minimal user interaction https://bugzilla.redhat.com/show_bug.cgi?id=1740138 --------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2019-a746ac9c89' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------