Support us on Patreon to keep GamingOnLinux alive. This ensures we have no timed articles and no paywalls. Just good, fresh content! Alternatively, you can donate through PayPal, Flattr and Liberapay!

KDE has an unpatched security issue that's been made public

Posted by , | Views: 11,452

Here's your morning dose of uh-oh, a security researcher has made an unfortunate vulnerability in KDE public. Not something we usually cover, but since there's no fix available it's worth letting you know.

The issue relates to how KDE handles .desktop and .directory files, since on KDE they allow what they call "Shell Expansion" allowing some nasty code to be run. The other issue, is that KDE will automatically execute them without you even opening the files. Discovered by Dominik "zer0pwn" Penner, you can see their write-up of the issue here:

Using a specially crafted .desktop file a remote user could be compromised by simply downloading and viewing the file in their file manager, or by drag and dropping a link of it into their documents or desktop.

Sadly, this makes the security issue one that's quite easy for someone to exploit, as long as they get you to download something containing the malicious file.

On Twitter, the KDE team posted:

For the moment avoid downloading .desktop or .directory files and extracting archives from untrusted sources.

However, that might not be good enough. Going by what else Penner also said on Twitter, it's not just .desktop or .directory files as any unknown filetype can be detected by KDE as an application/desktop mimetype making it a lot worse than originally thought. As long as a file contains "[Desktop Entry]" at the top, it seems KDE will have a go at parsing it.

On top of that, the KDE team were not made aware of the issue before this was all made public. So if you're running KDE, time to be super careful until a patch is out. Hopefully all distributions shipping KDE will be keeping a close eye on this for when a patch is available.

Article taken from GamingOnLinux.com.
30 Likes, Who?
We do often include affiliate links to earn us some pennies. We are currently affiliated with GOG, Humble Store and Paradox Interactive. See more information here.
About the author -
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly came back to check on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by [url=https://www.gamingonlinux.com/email-us/]emailing GamingOnLinux directly[/url].
See more from me
45 comments
Page: 1/5»
  Go to:

doomiebaby 7 August 2019 at 8:16 am UTC
what in the...
MessedUpHare 7 August 2019 at 8:18 am UTC
Not reporting this upstream before posting it publicly on twitter is in very poor faith.
Hopefully the KDE devs will be able to resolve this quickly for KDE users out there.
The_Aquabat 7 August 2019 at 8:23 am UTC
don't read this
Spoiler, click me
[Desktop Entry]
Exec=/bin/thisisavirus

you are doomed!!


Last edited by The_Aquabat on 7 August 2019 at 8:28 am UTC
Sir_Diealot 7 August 2019 at 8:24 am UTC
Not at all surprised, I expect that to be the tip of the iceberg. DEs tend to focus on snazzy wallpapers more than anything else.
F.Ultra 7 August 2019 at 8:34 am UTC
chancho_zombiedon't read this
Spoiler, click me
[Desktop Entry]
Exec=/bin/thisisavirus

you are doomed!!

That one you have to actively click on, the problem here is the shell expansion in where you can say set the title to a dynamic value like "title[$ie]=$(/bin/thisisavirus)"
ElectricPrism 7 August 2019 at 8:35 am UTC
I honestly lol inside a little bit from all the shit KDE fanboys give Gnome seeing this crop up.

I like KDE and KDE devs but as a Arch user KDE users have a lot of the "btw I use KDE" going on, except throw in a "and GNOME sucks!"

So if you are one of those people this is for you:

Haha!
Klaas 7 August 2019 at 8:43 am UTC
That does not surprise me at all. The developers seem to think that beautiful code is the most important goal. Again and again regressions are caused by removing “unnecessary” edge cases to make things more elegant.

Kdiff3 used to be able to compare directories with binary files without any trouble. Since about a quarter of a year it crashes all the time.

Konsole's dynamic icons are completely broken. If any tab ever receives notification it is there until the terminal is restarted. It used to clear and revert back to the default icon until someone wanted to make it more elegant at the end of December.
WorMzy 7 August 2019 at 8:44 am UTC
View PC info
  • Supporter
  • Top Supporter
ElectricPrismI honestly lol inside a little bit from all the shit KDE fanboys give Gnome seeing this crop up.

I like KDE and KDE devs but as a Arch user KDE users have a lot of the "btw I use KDE" going on, except throw in a "and GNOME sucks!"

So if you are one of those people this is for you:

Haha!

GNOME still sucks.
Stupendous Man 7 August 2019 at 9:21 am UTC
Why didn't they notify the KDE team BEFORE publishing their write-up? That's what responsible disclosure is all about, and would have avoided this situation! Give the team a couple months to patch, and THEN make the write-up.
I'm a bug bounty hunter myself and any ethical hacker knows not to just disclose a bug to the world as soon as you find it. Pathetic.
grigi 7 August 2019 at 9:37 am UTC
So, as a developer that worked with security researchers I see these two sides of the coin:
"file" is a utility that does a best guess at mime-type of a file, so they took this, extended it with some new kde features. They tried their best to make it work for all use cases they know of.

This probably included shell expansion at runtime to handle some requirement.

Then the mistake could have been that the "file" extended utility would do shell expansion to help resolve the actual type.

Honestly these kinds of mistakes happen, and the common "best practices" re security won't help you find it.

It could even be that originally it didn't do it, but some bugfix for some issue inadvertently made this possible.

So, please don't diss people for not being able to keep all context in memory when doing work.
(And the Gnome related comment is out of place, unrelated, and could even be considered as a form of harassment, so please don't do such trolling)
  Go to:
While you're here, please consider supporting GamingOnLinux on Patreon, Liberapay or Paypal. We have no adverts, no paywalls, no timed exclusive articles. Just good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!

You need to Register and Login to comment, submit articles and more.


Or login with...

Livestreams & Videos
Community Livestreams
  • SunLust, UV, PistolStarts, Controller, Final map
  • Date:
See more!
Popular this week
View by Category
Contact
Latest Comments
Latest Forum Posts