By default, Bugzilla does not search the list of RESOLVED bugs.
You can force it to do so by putting the upper-case word ALL in front of your search query, e.g.: ALL tdelibs
We recommend searching for bugs this way, as you may discover that your bug has already been resolved and fixed in a later release.

Bug 3032

Summary:	Konqueror arbitrary code execution from .desktop files
Product:	TDE	Reporter:	Sergey Frolov <dunkan.aidaho>
Component:	tdebase	Assignee:	Timothy Pearson <kb9vqf>
Status:	RESOLVED FIXED
Severity:	critical	CC:	bugwatch, dunkan.aidaho, slavek.banko
Priority:	P5
Version:	R14.1.x [Trinity]
Hardware:	All
OS:	Linux
Compiler Version:		TDE Version String:
Application Version:		Application Name:
Bug Depends on:
Bug Blocks:	3010
Attachments:	Screenshot of Konqueror creating a file in user home dir This desktop file will automatically execute `touch vulnerable-to-desktop-code-execution`

Description Sergey Frolov 2019-08-08 01:51:46 CDT

Created attachment 2923 [details]
Screenshot of Konqueror creating a file in user home dir

Konqueror will automatically execute code from a .desktop or .directory file when navigating to a directory which contains said file.

Steps to reproduce: create test.desktop with following content:

[Desktop Entry]
Icon[$e]=$(touch${IFS}vulnerable-to-desktop-code-execution)


Upon (re)entering/reloading directory with Konqueror a file will be created in user home directory.

This is a critical vulnerability because it does not require any action from the user, not even setting execution bit. Only read permission is required.

All one needs to do to run a code on target machine is to place a file inside archive/removable storage.

Initial report: https://twitter.com/zer0pwn/status/1158433002239746048
https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt

Hotfix for KDE: https://phabricator.kde.org/D22979

Comment 1 Sergey Frolov 2019-08-08 01:54:18 CDT

Created attachment 2924 [details]
This desktop file will automatically execute `touch vulnerable-to-desktop-code-execution`

Comment 2 Sergey Frolov 2019-08-08 02:02:42 CDT

To get a sense, on how ubiquitous .directory files are: as of now there are 11,635 of them across repositories on GitHub

(running this search will require a login)
https://github.com/search?utf8=%E2%9C%93&q=HiddenFilesShown%3D+filename%3A.directory&type=Code&ref=advsearch&l=&l=

Comment 3 Slávek Banko 2019-08-08 19:41:32 CDT

Thank you for reporting. The problem has already been reported in TGW as issue TDE/tdelibs#45:
https://mirror.git.trinitydesktop.org/gitea/TDE/tdelibs/issues/45

And patch based on KDE Frameworks 5 kconfig patch for CVE-2019-14744 is now already merged from pull-request TDE/tdelibs#46:
https://mirror.git.trinitydesktop.org/gitea/TDE/tdelibs/issues/46