Source: kconfig Version: 5.54.0-1 Severity: grave Tags: patch security upstream Justification: user security hole Control: found -1 5.28.0-2 Control: clone -1 -2 Control: reassign -2 src:kde4libs 4:4.14.38-3 Control: retitle -2 kde4libs: CVE-2019-14744 Control: found -2 4:4.14.26-2
Hi, The following vulnerability was published for kconfig. CVE-2019-14744[0]: | In KDE Frameworks KConfig before 5.61.0, malicious desktop files and | configuration files lead to code execution with minimal user | interaction. This relates to libKF5ConfigCore.so, and the mishandling | of .desktop and .directory files, as demonstrated by a shell command | on an Icon line in a .desktop file. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-14744 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14744 [1] https://kde.org/info/security/advisory-20190807-1.txt [2] https://cgit.kde.org/kconfig.git/commit/?id=5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22 [3] https://cgit.kde.org/kdelibs.git/commit/?id=2c3762feddf7e66cf6b64d9058f625a715694a00 Regards, Salvatore
