Updates are available for Ubuntu 19.04, 18.04, and 16.04 LTS

Aug 19, 2019 16:45 GMT  ·  By

The Debian Project and Canonical released security updates for their supported operating systems to address some recently disclosed vulnerabilities in the KDE libraries.

A couple of weeks ago, the KDE community fixed a security vulnerability discovered by Dominik Penner in the KConfig component, the configuration settings framework of the KDE Plasma desktop environment, which could allow an attacker to execute malicious code through a specially crafted .desktop file included in an archive that was opened in the file manager.

"Dominik Penner discovered that KConfig supported a feature to define shell command execution in .desktop files. If a user is provided with a malformed .desktop file (e.g. if it's embedded into a downloaded archive and it gets opened in a file browser) arbitrary commands could get executed. This update removes this feature," reads the Debian security advisory.

The issue affected versions of the KDE Frameworks open-source software suite smaller than release 5.61.0 announced on August 10th, 2019. Patches were made available within two days from the initial bug report, and they were making their way into the stable software repositories of the most popular GNU/Linux distributions since then.

Users are urged to update their installations immediately

The Debian Project released a security patch to address the said vulnerability (CVE-2019-14744) in the Debian GNU/Linux 9 "Stretch" and Debian GNU/Linux 10 "Buster" operating system series, urging users to update the kconfig package in their installations to versions 5.28.0-2+deb9u1 and 5.54.0-1+deb10u1 respectively.

On the other hand, Canonical released today updated versions of the kconfig and kde4libs packages to fix the vulnerability (CVE-2016-6232) discovered by Dominik Penner, as well as a 3-years-old security issue that could allow remote attackers to write to arbitrary files via a ../ in a filename in an archive file.

Patches are available now for the Ubuntu 19.04 (Disco Dingo), Ubuntu 18.04 LTS (Bionic Beaver), and Ubuntu 16.04 LTS (Xenial Xerus) operating system series, including the respective Kubuntu variants. Canonical urges all users who use the KDE Plasma desktop environment to update their systems as soon as possible.