Check out our Monthly Survey Page to see what our users are running.

KDE has an unpatched security issue that's been made public

Posted by , | Views: 12,008

Here's your morning dose of uh-oh, a security researcher has made an unfortunate vulnerability in KDE public. Not something we usually cover, but since there's no fix available it's worth letting you know.

The issue relates to how KDE handles .desktop and .directory files, since on KDE they allow what they call "Shell Expansion" allowing some nasty code to be run. The other issue, is that KDE will automatically execute them without you even opening the files. Discovered by Dominik "zer0pwn" Penner, you can see their write-up of the issue here:

Using a specially crafted .desktop file a remote user could be compromised by simply downloading and viewing the file in their file manager, or by drag and dropping a link of it into their documents or desktop.

Sadly, this makes the security issue one that's quite easy for someone to exploit, as long as they get you to download something containing the malicious file.

On Twitter, the KDE team posted:

For the moment avoid downloading .desktop or .directory files and extracting archives from untrusted sources.

However, that might not be good enough. Going by what else Penner also said on Twitter, it's not just .desktop or .directory files as any unknown filetype can be detected by KDE as an application/desktop mimetype making it a lot worse than originally thought. As long as a file contains "[Desktop Entry]" at the top, it seems KDE will have a go at parsing it.

On top of that, the KDE team were not made aware of the issue before this was all made public. So if you're running KDE, time to be super careful until a patch is out. Hopefully all distributions shipping KDE will be keeping a close eye on this for when a patch is available.

Article taken from GamingOnLinux.com.
Tags: Misc, Security
30 Likes, Who?
We do often include affiliate links to earn us some pennies. We are currently affiliated with GOG, Humble Store and Paradox Interactive. See more information here.
About the author -
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly came back to check on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly.
See more from me
45 comments
Page: «5/5
  Go to:

Stupendous Man 8 August 2019 at 10:50 am UTC
Ari El UnoThey have to fix it ASAP, not a couple of MONTHS.
Depends on the severity of the bug. Remember, if the hacker informs the company privately, ideally only the hacker and the company know of the vulnerability. But yeah, the sooner the better.
It is also normal procedure to ask before disclosing, no matter how long time has passed.
ShabbyX 8 August 2019 at 12:42 pm UTC
QuoteFor the moment avoid downloading .desktop or .directory files and extracting archives from untrusted sources.

It's not windows, nobody downloads software off the internet already
F.Ultra 8 August 2019 at 2:04 pm UTC
ShmerlIsn't there some way to disable automatic launching for such files? Autoruns is such an old nasty issue, that it's surprising KDE still has it enabled by default.

It's not autorun per say, it's more like KDE can execute some scripts from the .desktop file e.g in order to determine what to display as the title if you hover over it (not 100% sure since I'm basing this on reading from the KDE site for a few seconds).

Which of course in practice turns it into autorun, but since that was never the intended purpose there is not a way to disable the feature. If the KDE devs had understood that they had actually implemented autorun I'm sure that they would not have implemented this at all. Some one with lots of time on their hand could hunt over their bugzilla and see when this feature was implemented and why, high chance is that it was due to some feature request/bug-report.
slaapliedje 10 August 2019 at 6:44 pm UTC
View PC info
  • Supporter
  • Top Supporter
TheRiddick
ElectricPrismSo if you are one of those people this is for you:

Haha!

I always found it the other way around, gnome users talking about how fantastic their featureless (most extensions don't work) desktop is and how KDE is bloatware, meanwhile I moved from GNOME to PLASMA5 the other day and noticed things just work allot better and faster (even games work faster somehow).

Shrug.. Just saying. GNOME SUCKS!
Guess it depends on your use case. Me, I want something that's just there to launch applications, after all, that's what you use, right? You don't use the operating system, it's just there to manage your applications and windows.

For me, Windows, Mac OSX and KDE seem to get more in the way than they need to. I'll say Windows Sucks for stability, privacy, etc. but not going to really say KDE sucks (well macOS I just don't see a need for ).

Back on topic, this seems like a terrible implementation of just showing an icon and the title, which .desktop already does, why is it executing anything?
Aeder 11 August 2019 at 2:23 pm UTC
The update that fixes this is now available according to Phoronix
  Go to:
While you're here, please consider supporting GamingOnLinux on Patreon, Liberapay or Paypal. We have no adverts, no paywalls, no timed exclusive articles. Just good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!

You need to Register and Login to comment, submit articles and more.


Or login with...

Livestreams & Videos
Community Livestreams
  • Shots Fired: „Saints Row: The Third“
Popular this week
View by Category
Contact
Latest Comments
Latest Forum Posts