ELA-1058-1 kde4libs security update

arbitrary code execution

2024-03-19
Packagekde4libs
Version4:4.14.26-2+deb9u1 (stretch)
Related CVEs CVE-2019-14744


Dominik Penner discovered a flaw in how KConfig interpreted shell commands in desktop files and other configuration files. An attacker may trick users into installing specially crafted files which could then be used to execute arbitrary code, e.g. a file manager trying to find out the icon for a file or any application using KConfig. Thus the entire feature of supporting shell commands in KConfig entries has been removed.



For Debian 9 stretch, these problems have been fixed in version 4:4.14.26-2+deb9u1.

We recommend that you upgrade your kde4libs packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.