Operating System:

[LINUX][Debian]

Published:

12 August 2019

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2019.3047 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3047
                          kconfig security update
                              12 August 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           kconfig
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   Debian GNU/Linux 10
                   Linux variants
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-14744  

Original Bulletin: 
   http://www.debian.org/security/2019/dsa-4494

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running kconfig check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4494-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 09, 2019                       https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : kconfig
CVE ID         : CVE-2019-14744

Dominik Penner discovered that KConfig, the KDE configuration settings
framework, supported a feature to define shell command execution in
.desktop files. If a user is provided with a malformed .desktop file
(e.g. if it's embedded into a downloaded archive and it gets opened in
a file browser) arbitrary commands could get executed. This update
removes this feature.

For the oldstable distribution (stretch), this problem has been fixed
in version 5.28.0-2+deb9u1.

For the stable distribution (buster), this problem has been fixed in
version 5.54.0-1+deb10u1.

We recommend that you upgrade your kconfig packages.

For the detailed security status of kconfig please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/kconfig

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl1NlzoACgkQEMKTtsN8
Tjaw4Q/9FzjCBgE64hT9vdplL6QpSBBWQr1DJyiME4fd3qRjxOmPghWLrPUAu5vF
2nXGcFf7nZX6+0AjwOGO65V687Xci0KIP/YNQNmbHeThIbUfCt2CDnWDBgYowY26
oRmzfBn7Xo6IuBVCmFYb+yNh2zAoCBm7HmX5L/GaZhBB31ONUs/VKJFvH/zVdnA2
kKnS/DF2TRgQ+uLy/JMEtX1u3TCKVL71mUeeZhACFjck8jZorXEigCJiTftc8l/y
68RnA8NusDz61eKmoVq0kdhna0JgU+oJ+1zQSwSfNaUaqfdDtO6QLzW6A7rdNQH7
Feb7RIDmFq0giGZ0tLcD3U91VMLwmKIYf/ofWq5hSTt+ccR8PzFIdaCoFhfG7ji1
46TfsGpYcci8NxmJ3HI3YY5CSGRBU6GVAs2cs8n72hncBNOWLbRrW9Fdsd8XWiqc
toTRG1tsrgAbXYzYzclzqueKv3UDo1qdH34oI8ozZ3Rp6+oIpPRL+74K1G6JxYQl
c2YeBmX+LpLrJKrJq8YsUkjv3qLMqduVwvF4Mr2Ktf/QP/CUCw00kIRZIaLBtJy8
4dqTXVDtowC0Qyzc+Cn+iRyl1tyqFAld9gK3Q4Ie53lVZfBLJa4TS9MMvjy4PBDG
j0emwOBIYpPQcjfv71XbVqQ6n3pX/RkzLfGvEMRuSbByzvWaT0A=
=yWRl
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXVCnoGaOgq3Tt24GAQhtERAAhZF0hMM/MOd7/MjsKzu/+63KxaZahhaR
g9iN5DJyHiBN0ftAvDhj56NBUzOXi9pC4awre7h0ff9n3qNdg4cxMfyvlTb0Cb94
ediaYRWKY9OJoGxjYslMcmFpnhuA10Wx9zr0TDLgFptwHzvn24gNv9KtwO0vQ5Q8
nCb0MtcE2SUgSoWfmVCzQxmQSUhFutsKOMqvmlmDDokQnSLKV5mlVFngMxe5NGzO
Bb8hD/B3f3iQnlnJVJZ4qQNmJ2JsKZDe7yNZH2+uATTwFHy/jAAgCbxBWAD3twfv
Usgy6E87qH7pgRJWTi0sPJQzeKX6juCSERazsCRatT/TEsAlVMcWaVs76LIIXGe9
VLryBgEa01aUbQOne5ExCnc7RowgiaPNHzz+oIO1VI3f36sZ1vc+gYaz+ZGtyPYx
2YrrKKsXt4DBG4oeub2vUonM2cke+S9QfRlHe7F5nnc7gRlyUypEnDCUwTsso48V
2zbHyvA+lWFj+3dm2xjNZR+OZQWHkqlcvr1uiziOOELeRWI8BIEeL2pui6YWZ2EZ
dbhiMyna2FuL9DAkHtBGlNS4rmQ1aFG/QHszu2P2aFX213AktD1bnJZPopQ+wvf9
hcvNtGZkE3lw0o0Xy2DT6WP/gdNCrFHpBCLdSIMc0yJRCGPZAh2PuiKWbhPmVDYw
yDA9NS0yoN4=
=pa+d
-----END PGP SIGNATURE-----