-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2019-f9f78895c3 2019-08-19 01:01:06.548912 --------------------------------------------------------------------------------
Name : kdelibs3 Product : Fedora 30 Version : 3.5.10 Release : 101.fc30 URL : http://www.kde.org/ Summary : KDE 3 Libraries Description : Libraries for KDE 3: KDE Libraries included: kdecore (KDE core library), kdeui (user interface), kfm (file manager), khtmlw (HTML widget), kio (Input/Output, networking), kspell (spelling checker), jscript (javascript), kab (addressbook), kimgio (image manipulation).
-------------------------------------------------------------------------------- Update Information:
This update fixes **CVE-2019-14744 (kconfig arbitrary shell code execution)** in the KDE 3 compatibility version of kdelibs used by legacy KDE 3 applications. The full list of fixes in this `kdelibs3` build: * fixes **CVE-2019-14744** - `kconfig`: malicious `.desktop` files (and others) would execute code. KConfig had a well-meaning feature that allowed configuration files to execute arbitrary shell commands. Unfortunately, this could be abused by untrusted `.desktop` files to execute arbitrary code as the target user, without the user even running the `.desktop` file. Therefore, this update removes that ill-fated feature. (Backported by Kevin Kofler from upstream: `kf5-kconfig` fix by David Faure, `kdelibs` 4 backport by Kai Uwe Broulik.) * adds native support for **xdg-user-dirs** for *Desktop* and *Documents*, without shelling out to `xdg- user-dir` from the config file. This is needed due to the above security fix. (This feature was previously implemented in the Fedora `kde-settings` by shelling out to `xdg-user-dir` from the config file using the KConfig feature removed above.) (Backported by Kevin Kofler from Trinity Desktop / Timothy Pearson.) * fixes a **KJS double-free** that could crash legacy KDE 3 applications such as Quanta Plus when trying to execute JavaScript. (Backported by OpenSUSE / Wolfgang Bauer from Trinity Desktop / Timothy Pearson.) -------------------------------------------------------------------------------- ChangeLog:
* Sat Aug 10 2019 Kevin Kofler Kevin@tigcc.ticalc.org - 3.5.10-101 - Backport CVE-2019-14744 fix by David Faure and Kai Uwe Broulik from kdelibs 4 - Backport native xdg-user-dirs support by Timothy Pearson from Trinity (needed to fix the regression that would otherwise result from the above security fix) - Backport KJS double-free fix by Timothy Pearson (backport by wbauer/OpenSUSE) * Thu Jul 25 2019 Fedora Release Engineering releng@fedoraproject.org - 3.5.10-100 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild * Thu Apr 11 2019 Richard Shaw hobbes1069@gmail.com - 3.5.10-99 - Rebuild for OpenEXR 2.3.0. -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1740138 - CVE-2019-14744 kdelibs: malicious desktop files and configuration files lead to code execution with minimal user interaction https://bugzilla.redhat.com/show_bug.cgi?id=1740138 --------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2019-f9f78895c3' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------