Join us on our own very special Reddit: /r/Linuxers

KDE has an unpatched security issue that's been made public

By - | Views: 16,197

Here's your morning dose of uh-oh, a security researcher has made an unfortunate vulnerability in KDE public. Not something we usually cover, but since there's no fix available it's worth letting you know.

The issue relates to how KDE handles .desktop and .directory files, since on KDE they allow what they call "Shell Expansion" allowing some nasty code to be run. The other issue, is that KDE will automatically execute them without you even opening the files. Discovered by Dominik "zer0pwn" Penner, you can see their write-up of the issue here:

Using a specially crafted .desktop file a remote user could be compromised by simply downloading and viewing the file in their file manager, or by drag and dropping a link of it into their documents or desktop.

Sadly, this makes the security issue one that's quite easy for someone to exploit, as long as they get you to download something containing the malicious file.

On Twitter, the KDE team posted:

For the moment avoid downloading .desktop or .directory files and extracting archives from untrusted sources.

However, that might not be good enough. Going by what else Penner also said on Twitter, it's not just .desktop or .directory files as any unknown filetype can be detected by KDE as an application/desktop mimetype making it a lot worse than originally thought. As long as a file contains "[Desktop Entry]" at the top, it seems KDE will have a go at parsing it.

On top of that, the KDE team were not made aware of the issue before this was all made public. So if you're running KDE, time to be super careful until a patch is out. Hopefully all distributions shipping KDE will be keeping a close eye on this for when a patch is available.

Article taken from GamingOnLinux.com.
Tags: Misc, Security
30 Likes, Who?
We do often include affiliate links to earn us some pennies. We are currently affiliated with GOG and Humble Store. See more here.
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly came back to check on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly.
See more from me
The comments on this article are closed.
45 comments
Page: «4/5»
  Go to:

TheSHEEEP 7 Aug, 2019
View PC info
  • Supporter Plus
I'm using Manjaro with KDE Plasma, but since I'm not in the habit of downloading, installing or executing random files, I still feel pretty safe.
I've also been using Windows since many, many years without any kind of antivirus software and never had any problems whatsoever.

Frankly, nothing is ever entirely safe. And the biggest safety risk is not some software vulnerability sitting hidden behind some execution layers, but something entirely different sitting in front of the monitor...


Last edited by TheSHEEEP on 7 August 2019 at 4:47 pm UTC
FurbyOnSteroid 7 Aug, 2019
Thanks for the heads-up.

Considering that I very rarely install anything, I think I will be just fine. Still, this needs to be fixed asap!

The guy that found it, nice but he really has to handle those things the right way. I'm certain he knows how to handle it correctly, but he just doesn't care. According to his twitter he is a "whitehat wizard" while sharing basically a tutorial on how to do it on one of kde's replies. I'm sorry but that's just.. I have many words and yet, I won't post any because I don't want this comment to be removed. Very untrustworthy and disqualifies him immediately as a "whitehat". Should be ashamed of his actions just to be "the cool kid".
WorMzy 7 Aug, 2019
Quoting: TheSHEEEPFrankly, nothing is ever entirely safe. And the biggest safety risk is not some software vulnerability sitting hidden behind some execution layers, but something entirely different sitting in front of the monitor...

I always knew my cats were up to no good!
Shmerl 7 Aug, 2019
Isn't there some way to disable automatic launching for such files? Autoruns is such an old nasty issue, that it's surprising KDE still has it enabled by default.


Last edited by Shmerl on 7 August 2019 at 7:10 pm UTC
Dragunov 8 Aug, 2019
Good thing I use Gnome/Cinnamon :P
TheRiddick 8 Aug, 2019
Quoting: ElectricPrismSo if you are one of those people this is for you:

Haha!

I always found it the other way around, gnome users talking about how fantastic their featureless (most extensions don't work) desktop is and how KDE is bloatware, meanwhile I moved from GNOME to PLASMA5 the other day and noticed things just work allot better and faster (even games work faster somehow).

Shrug.. Just saying. GNOME SUCKS!
Ari El Uno 8 Aug, 2019
Quoting: Stupendous ManWhy didn't they notify the KDE team BEFORE publishing their write-up? That's what responsible disclosure is all about, and would have avoided this situation! Give the team a couple months to patch, and THEN make the write-up.
I'm a bug bounty hunter myself and any ethical hacker knows not to just disclose a bug to the world as soon as you find it. Pathetic.
They have to fix it ASAP, not a couple of MONTHS.
Izaic 8 Aug, 2019
Quoting: DragunovGood thing I use Gnome/Cinnamon :P

Gnome just had malware use the extensions. At the very least, this plasma issue most likely hasn't been utilized in the wild.

That said, nothing is perfect, and there will always be security issues of some kind. It's why Linus Torvalds doesn't consider security issues any more important than bugs.
Flabb 8 Aug, 2019
Quoting: Ari El UnoThey have to fix it ASAP, not a couple of MONTHS.
Normal reporting procedure suggests that security researcher reports vulnerability to developers privately and gives them a couple of months to push proper fix, then discloses his research after issue was patched. Well, that's how vuln reporting is done by professionals, not l33t hackerz from Twitter...
But, yeah, now KDE devs have to fix it ASAP because now attackers know everything about the issue. And, BTW, they already patched it, and some distros have already pushed this patch to stable repos.
While you're here, please consider supporting GamingOnLinux on:

Patreon, Liberapay or PayPal Donation.

We have no adverts, no paywalls, no timed exclusive articles. Just good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
The comments on this article are closed.