Executive Summary

Titlekconfig security update
NameDSA-4494First vendor Publication2019-08-09
VendorDebianLast vendor Modification2019-08-09
Severity (Vendor) N/ARevision1

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Cvss Base Score5.1Attack RangeNetwork
Cvss Impact Score6.4Attack ComplexityHigh
Cvss Expoit Score4.9AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores


Dominik Penner discovered that KConfig, the KDE configuration settings framework, supported a feature to define shell command execution in .desktop files. If a user is provided with a malformed .desktop file (e.g. if it's embedded into a downloaded archive and it gets opened in a file browser) arbitrary commands could get executed. This update removes this feature.

For the oldstable distribution (stretch), this problem has been fixed in version 5.28.0-2+deb9u1.

For the stable distribution (buster), this problem has been fixed in version 5.54.0-1+deb10u1.

We recommend that you upgrade your kconfig packages.

For the detailed security status of kconfig please refer to its security tracker page at: https://security-tracker.debian.org/tracker/kconfig

Original Source

Url : http://www.debian.org/security/2019/dsa-4494

CWE : Common Weakness Enumeration

100 %CWE-77Improper Sanitization of Special Elements used in a Command ('Command Injection')

CPE : Common Platform Enumeration


Alert History

If you want to see full details history, please login or register.
2019-08-15 17:22:17
  • Multiple Updates
2019-08-09 21:18:33
  • First insertion