Fedora 29 : 6:kdelibs / kde-settings (2019-39d23c7a94)

high Nessus Plugin ID 128399

Language:

Synopsis

The remote Fedora host is missing one or more security updates.

Description

This update fixes **CVE-2019-14744 (kconfig arbitrary shell code execution)** in the compatibility library `kdelibs` 4 used by legacy applications (not yet ported to KDE Frameworks 5). The included `kde-settings` update removes obsolete settings that conflict with the security fix and are no longer needed (see below for details).

The full list of fixes in the `kdelibs` 4 build :

- fixes **CVE-2019-14744 (#1740138, #1740140)** –
`kconfig`: malicious `.desktop` files (and others) would execute code. KConfig had a well-meaning feature that allowed configuration files to execute arbitrary shell commands. Unfortunately, this could be abused by untrusted `.desktop` files to execute arbitrary code as the target user, without the user even running the `.desktop` file. Therefore, this update removes that ill-fated feature. (Patch from upstream: `kf5-kconfig` fix by David Faure, `kdelibs` 4 backport by Kai Uwe Broulik.)

- fixes **#917848** – removes support for the `gamin` file watching service which is unmaintained and buggy and can lead to application lockups. KDirWatch now relies exclusively on `inotify` (directly). (Packaging fix by Rex Dieter.)

- fixes **#1730770** – removes an unused dependency on the obsolete `xf86misc` library. (Packaging fix by Kevin Kofler.)

The fixes in the `kde-settings` build remove settings that were calling `xdg-user-dir`, because the above CVE-2019-14744 fix drops support for running shell commands from configuration files from KConfig and because the settings are all no longer needed (because they either only reproduce default behavior or were commented out) :

- `/usr/share/kde-settings/kde-profile/default/share/confi g/kdeglobals`, `/usr/share/kde-settings/kde-profile/minimal/share/confi g/kdeglobals`: Remove the `[Paths]` section. The `Desktop` and `Documents` directories that were set there are already detected by default by `kdelibs` 4 (it has native support for xdg-user-dirs and does not need the external `xdg-user-dir` command invocation), and now also by `kdelibs3 >= 3.5.10-101` (which has native xdg-user-dirs support backported). The `Trash` setting was already commented out.

- `/usr/share/kde-settings/kde-profile/default/xdg/baloofi lerc`: Delete the commented-out `folders` setting that attempts to call `xdg-user-dir`.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected 6:kdelibs and / or kde-settings packages.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2019-39d23c7a94

Plugin Details

Severity: High

ID: 128399

File Name: fedora_2019-39d23c7a94.nasl

Version: 1.4

Type: local

Agent: unix

Published: 8/30/2019

Updated: 4/30/2024

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 5.1

Temporal Score: 4

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-14744

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:6:kdelibs, p-cpe:/a:fedoraproject:fedora:kde-settings, cpe:/o:fedoraproject:fedora:29

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/30/2019

Vulnerability Publication Date: 8/7/2019

Reference Information

CVE: CVE-2019-14744