On Sun, Aug 18, 2019 at 6:38 PM Markus Koschany <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Package : kde4libs > Version : 4:4.14.2-5+deb8u3 > CVE ID : CVE-2019-14744 > Debian Bug : 934268 > > Dominik Penner discovered a flaw in how KConfig interpreted shell > commands in desktop files and other configuration files. An attacker may > trick users into installing specially crafted files which could then be > used to execute arbitrary code, e.g. a file manager trying to find out > the icon for a file or any application using KConfig. Thus the entire > feature of supporting shell commands in KConfig entries has been > removed. > > For Debian 8 "Jessie", this problem has been fixed in version > 4:4.14.2-5+deb8u3. > > We recommend that you upgrade your kde4libs packages. > > Further information about Debian LTS security advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://wiki.debian.org/LTS > -----BEGIN PGP SIGNATURE----- > > iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl1Z02VfFIAAAAAALgAo > aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD > RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 > UeT7bQ/+Jeg1ClUlPXrBLwmeexTeoJPf5sLFxJv2nLSv/xyqyaVodVkOK9ul061g > JT54HVapfDzwD4C6u5paeeeBKnMPzYi9ttRDkNJwaIrP+L4uhFX8usQc7TXV5UNx > Ehq0nCl5bx1qiF95Ccm0N5yCNzelIDBM+I15Fh4Fwq8rN3MyaUwpqo7qBaqt3Qe6 > jIdEc3EIS8iR4tiOSbzTGX5JgqMrLhzxZYmpF+VnGdWrzVZ5QGwwT0eJ6Llti6y7 > 6PQ7CTfQsJbY5P1KiVo4AR9unua0yiRPzOLwFwmz67GAS//o9D7UPCH/urgobkhZ > Lq6GTOYUxR5ob7OwD8N147SLo0mgNmNx94ctroUij+BY7JtW79EYDkU/mFfXjBu/ > 7WXgCPnzUsoHvfRxDAnsHocPhz+873sQgq/TnecTVIwTQIktI+lesArDYrhfQthg > a6+H0RRKfj+AW+3BAJWpUvc3A6GwFh1o2AXKh/Os7sfXQIaDIEMTqlt4d+cSNAXn > 3N2zP97u/DaQb8+6AOPoyKf+o+ECXadkMsnYm5Yz6JehfhOZJGTOqeQQ59kVvFSx > uD2iHHn/qOcZnPF4rA6DtafH02Zb/TQ3IOUHKNoAKHyu5dyrhjAEkAxblQE4gxKa > fOq2IdcvE7PrP8WQ5VrCvchrM/E8muNOUf4Ujt0YLJzp0FzOrlw= > =0A8C > -----END PGP SIGNATURE----- > >
