On Thu, Aug 08, 2019 at 11:29:25PM +0200, Salvatore Bonaccorso wrote:
> Source: kconfig
> Version: 5.54.0-1
> Severity: grave
> Tags: patch security upstream
> Justification: user security hole
> Control: found -1 5.28.0-2
> Control: clone -1 -2
> Control: reassign -2 src:kde4libs 4:4.14.38-3
> Control: retitle -2 kde4libs: CVE-2019-14744
> Control: found -2 4:4.14.26-2
>
> Hi,
>
> The following vulnerability was published for kconfig.
>
> CVE-2019-14744[0]:
> | In KDE Frameworks KConfig before 5.61.0, malicious desktop files and
> | configuration files lead to code execution with minimal user
> | interaction. This relates to libKF5ConfigCore.so, and the mishandling
> | of .desktop and .directory files, as demonstrated by a shell command
> | on an Icon line in a .desktop file.
JFTR, I've prepared updates for Stretch/Buster, which should go out tomorrow.
Cheers,
Moritz
