Every article tag can be clicked to get a list of all articles in that category. Every article tag also has an RSS feed! You can customize an RSS feed too!
We do often include affiliate links to earn us some pennies. See more here.

KDE has an unpatched security issue that's been made public

By - | Views: 27,011

Here's your morning dose of uh-oh, a security researcher has made an unfortunate vulnerability in KDE public. Not something we usually cover, but since there's no fix available it's worth letting you know.

The issue relates to how KDE handles .desktop and .directory files, since on KDE they allow what they call "Shell Expansion" allowing some nasty code to be run. The other issue, is that KDE will automatically execute them without you even opening the files. Discovered by Dominik "zer0pwn" Penner, you can see their write-up of the issue here:

Using a specially crafted .desktop file a remote user could be compromised by simply downloading and viewing the file in their file manager, or by drag and dropping a link of it into their documents or desktop.

Sadly, this makes the security issue one that's quite easy for someone to exploit, as long as they get you to download something containing the malicious file.

On Twitter, the KDE team posted:

For the moment avoid downloading .desktop or .directory files and extracting archives from untrusted sources.

However, that might not be good enough. Going by what else Penner also said on Twitter, it's not just .desktop or .directory files as any unknown filetype can be detected by KDE as an application/desktop mimetype making it a lot worse than originally thought. As long as a file contains "[Desktop Entry]" at the top, it seems KDE will have a go at parsing it.

On top of that, the KDE team were not made aware of the issue before this was all made public. So if you're running KDE, time to be super careful until a patch is out. Hopefully all distributions shipping KDE will be keeping a close eye on this for when a patch is available.

Article taken from GamingOnLinux.com.
Tags: Security, Misc
29 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly came back to check on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly. Find me on Mastodon.
See more from me
The comments on this article are closed.
42 comments
Page: «2/5»
  Go to:

PhilSwitch Aug 7, 2019
Well, time to switch back to XFCE. I only have to re-do my config.
Philadelphus Aug 7, 2019
Ooh, ouch. Not a great situation. :O Stay safe, our KDE-using friends!
tmtvl Aug 7, 2019
Quote"To be honest, I was debating on going into the code and making the change myself considering KDE is open source," Penner said.

This guy, man... he had a good idea, but threw it all away for his 5 minutes in the limelight.

In any case, you'd think that after "Bad Taste" (https://nvd.nist.gov/vuln/detail/CVE-2017-11421) DE devs would've learned to not allow code execution in thumbnail display. I'll grant that Bad Taste was a bit more specific than the one KDE has at the moment.
Liam Dawe Aug 7, 2019
I have cleaned up some comments and those that referenced the hateful comment.

GOL is an open community, if I see anyone again say inclusion is "cancer" they will get a hard ban.
dpanter Aug 7, 2019
Never before have I been so reluctant to press like on a GoL article... :|
This is a sobering reminder that nothing is ever completely safe or bug free. I assume there are plenty of Linux gamers who don't hang regularly on more hardcore sites where these things are normally featured.

Kudos to GoL for reporting on this. Awareness is half the battle.

I guess that guy is getting blasted into oblivion for this careless revelation of such a serious bug. Something akin to karma, perhaps.
Liam Dawe Aug 7, 2019
Quoting: liamdaweI have cleaned up some comments and those that referenced the hateful comment.

GOL is an open community, if I see anyone again say inclusion is "cancer" they will get a hard ban.
Last warning on this. Stop. Keep it on the topic.
scaine Aug 7, 2019
View PC info
  • Contributing Editor
  • Mega Supporter
As a security consultant myself, I can't believe it's 2019 and this guy didn't go through responsible disclosure. He'll get his 15 minutes of fame alright, but at the expense of his credibility for any future security work. I wouldn't touch this guy with a barge-pole, knowing that this is the attitude with which they approach their work.
Ananace Aug 7, 2019
It's really annoying to see people labelling themselves as security researchers, only to then go and do absolute asshole / blackhat stuff like publicly posting undisclosed issues or even actively attacking groups themselves.

No, if you attack people, or hand out undisclosed exploits to the people, then you're no longer a security researcher. At that point you've instead become a malicious actor, and a threat to the security community as a whole.
If people start thinking badly of security researchers because news sites and the like accept and propagate the labels idiots like this apply to themselves, then the entire security community is going to suffer.
slaapliedje Aug 7, 2019
The really dumb thing is that he could have still gotten good fame if he had just waited a regular time to announce it publicly after informing the KDE developers. Is this just within Dolphin, or a larger part of KDE as a whole? I don't normally use KDE, but was going to play with Project Trident on an old Macbook Pro, to see if I like FreeBSD, and was going to use KDE on it.
x_wing Aug 7, 2019
Quoting: scaineAs a security consultant myself, I can't believe it's 2019 and this guy didn't go through responsible disclosure. He'll get his 15 minutes of fame alright, but at the expense of his credibility for any future security work. I wouldn't touch this guy with a barge-pole, knowing that this is the attitude with which they approach their work.

Well, after CTS Labs vs AMD fiasco these behaviors doesn't surprise me anymore.

Not sure what happened that Liam had to suppress comments but this is just a security threat that any application can have (remember Shellshock). I hope that KDE is able to release a security patch ASAP in order to boycott the childish behavior of this guy.
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
The comments on this article are closed.