A code execution vulnerability within the KDE desktop supervisor has been resolved by eradicating assist for shell instructions within the KConfig configuration system.

Earlier this week, BleepingComputer reported on a zero-day code execution vulnerability within the KDE desktop supervisor that might enable a distant attacker to execute instructions on a person’s machine by tricking them into extracting an archive and openings its folder.

This vulnerability was brought on by .desktop and .listing recordsdata supporting shell instructions to dynamically assign a price to varied KConfig entries akin to a the Icon discipline. This might enable an attacker to create malicious .desktop  or .listing recordsdata that carry out code execution when a folder is opened as proven under in a take a look at by BleepingComputer.

Vulnerability Demonstration
Vulnerability Demonstration

To repair this vulnerability, the KDE Undertaking has determined to take away assist for the shell instructions in KConfig entries, however proceed to permit assist for atmosphere variable enlargement.

After cautious consideration, your complete function of supporting shell instructions in KConfig entries has been eliminated, as a result of we could not discover an precise use case for it. In the event you do have an current use for the function, please contact us in order that we will consider whether or not it will be potential to offer a safe resolution.

Word that [$e] stays helpful for atmosphere variable enlargement.

KDE customers can repair this vulnerability by updating kconfig to model 5.61.Zero or larger or apply this patch. Customers of KDE Four are suggested to use this patch.

It’s strongly suggested that each one KDE customers set up these updates.

Associated Articles:

Zero-Day Bug in KDE 4/5 Executes Instructions by Opening a Folder

SWAPGS Vulnerability in Trendy CPUs Fastened in Home windows, Linux, ChromeOS

Microsoft’s July 2019 Patch Tuesday Fixes 2 Zero-Day Vulnerabilities

Mozilla Firefox 67.0.Four Fixes Second Actively Exploited Zero-Day

NVIDIA Patches Excessive Severity Flaws in Home windows GPU Show Driver

Leave a Reply

Notify of