Bug 10164

Summary: kconfig security vulnerability (CVE-2019-14744)
Product: [ROSA-based products] ROSA Fresh Reporter: Zombie Ryushu <zombie.ryushu>
Component: Packages from MainAssignee: ROSA Linux Bugs <bugs>
Status: RESOLVED DUPLICATE QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: alzim, andrey.bondrov, denis.silakov, mc2374
Version: All   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://advisories.mageia.org/MGASA-2019-0278.html
Whiteboard:
Platform: --- ROSA Vulnerability identifier: CVE-2019-14744
RPM Package: kconfig ISO-related:
Bad POT generating: Upstream:

Description Zombie Ryushu 2019-09-18 07:28:00 MSK 
Dominik Penner discovered that KConfig supported a feature to define shell
command execution in .desktop files. If a user is provided with a malformed
.desktop file (e.g. if it's embedded into a downloaded archive and it gets
opened in a file browser) arbitrary commands could get executed
(CVE-2019-14744).

This update fixes the security issue by removing the shell command feature.
Comment 1 Andrey Bondrov 2019-09-18 09:00:00 MSK 

*** This bug has been marked as a duplicate of bug 10052 ***