-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2019-39d23c7a94 2019-08-30 00:49:12.870421 --------------------------------------------------------------------------------
Name : kde-settings Product : Fedora 29 Version : 29.1 Release : 1.fc29 URL : https://github.com/FedoraKDE/kde-settings Summary : Config files for kde Description : Config files for kde.
-------------------------------------------------------------------------------- Update Information:
This update fixes **CVE-2019-14744 (kconfig arbitrary shell code execution)** in the compatibility library `kdelibs` 4 used by legacy applications (not yet ported to KDE Frameworks 5). The included `kde-settings` update removes obsolete settings that conflict with the security fix and are no longer needed (see below for details). The full list of fixes in the `kdelibs` 4 build: * fixes **CVE-2019-14744 (#1740138, #1740140)** ��� `kconfig`: malicious `.desktop` files (and others) would execute code. KConfig had a well-meaning feature that allowed configuration files to execute arbitrary shell commands. Unfortunately, this could be abused by untrusted `.desktop` files to execute arbitrary code as the target user, without the user even running the `.desktop` file. Therefore, this update removes that ill-fated feature. (Patch from upstream: `kf5-kconfig` fix by David Faure, `kdelibs` 4 backport by Kai Uwe Broulik.) * fixes **#917848** ��� removes support for the `gamin` file watching service which is unmaintained and buggy and can lead to application lockups. KDirWatch now relies exclusively on `inotify` (directly). (Packaging fix by Rex Dieter.) * fixes **#1730770** ��� removes an unused dependency on the obsolete `xf86misc` library. (Packaging fix by Kevin Kofler.) The fixes in the `kde-settings` build remove settings that were calling `xdg-user-dir`, because the above CVE-2019-14744 fix drops support for running shell commands from configuration files from KConfig and because the settings are all no longer needed (because they either only reproduce default behavior or were commented out): * `/usr/share/kde-settings/kde- profile/default/share/config/kdeglobals`, `/usr/share/kde-settings/kde- profile/minimal/share/config/kdeglobals`: Remove the `[Paths]` section. The `Desktop` and `Documents` directories that were set there are already detected by default by `kdelibs` 4 (it has native support for xdg-user-dirs and does not need the external `xdg-user-dir` command invocation), and now also by `kdelibs3
= 3.5.10-101` (which has native xdg-user-dirs support backported). The `Trash`
setting was already commented out. * `/usr/share/kde-settings/kde- profile/default/xdg/baloofilerc`: Delete the commented-out `folders` setting that attempts to call `xdg-user-dir`. -------------------------------------------------------------------------------- ChangeLog:
* Mon Aug 12 2019 Kevin Kofler Kevin@tigcc.ticalc.org 29.1-1 - Remove settings that call xdg-user-dir (no longer supported by KConfig) -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1740138 - CVE-2019-14744 kdelibs: malicious desktop files and configuration files lead to code execution with minimal user interaction https://bugzilla.redhat.com/show_bug.cgi?id=1740138 --------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2019-39d23c7a94' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------