Every article tag can be clicked to get a list of all articles in that category. Every article tag also has an RSS feed! You can customize an RSS feed too!
We do often include affiliate links to earn us some pennies. See more here.

Here's your morning dose of uh-oh, a security researcher has made an unfortunate vulnerability in KDE public. Not something we usually cover, but since there's no fix available it's worth letting you know.

The issue relates to how KDE handles .desktop and .directory files, since on KDE they allow what they call "Shell Expansion" allowing some nasty code to be run. The other issue, is that KDE will automatically execute them without you even opening the files. Discovered by Dominik "zer0pwn" Penner, you can see their write-up of the issue here:

Using a specially crafted .desktop file a remote user could be compromised by simply downloading and viewing the file in their file manager, or by drag and dropping a link of it into their documents or desktop.

Sadly, this makes the security issue one that's quite easy for someone to exploit, as long as they get you to download something containing the malicious file.

On Twitter, the KDE team posted:

For the moment avoid downloading .desktop or .directory files and extracting archives from untrusted sources.

However, that might not be good enough. Going by what else Penner also said on Twitter, it's not just .desktop or .directory files as any unknown filetype can be detected by KDE as an application/desktop mimetype making it a lot worse than originally thought. As long as a file contains "[Desktop Entry]" at the top, it seems KDE will have a go at parsing it.

On top of that, the KDE team were not made aware of the issue before this was all made public. So if you're running KDE, time to be super careful until a patch is out. Hopefully all distributions shipping KDE will be keeping a close eye on this for when a patch is available.

Article taken from GamingOnLinux.com.
Tags: Security, Misc
29 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly came back to check on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly.
See more from me
The comments on this article are closed.
40 comments
Page: «3/4»
  Go to:

const Aug 7, 2019
His name is kind of fitting. Penner is a foul name in german. It used to be used similar to english "hobo", but now pretty much means "jerk".
Termy Aug 7, 2019
Quoting: constHis name is kind of fitting. Penner is a foul name in german. It used to be used similar to english "hobo", but now pretty much means "jerk".

Was about to write this - ironic that the name is so fitting for someone that posts such a serious attack vector without responsible disclosure pratices....
STiAT Aug 7, 2019
Hmh, not a bug, a design flaw. Things like that happen, they implemented some requirement for running shell extensions and forgot the possible security implication if it runs unnoticed.

I remember a similar discussion by the KDE team actually in another topic, where they caught that thing before they released it and changed it before.

Things like that happen, and it will be fixed in no time, of that I'm sure.
slaapliedje Aug 7, 2019
Quoting: chancho_zombieso it doesn't affect KDE 3 time to give Trinity Desktop a spin.
Whoa, is that still maintained? Kind of think it'd be cool to run on top of FreeBSD that I'm planning on putting on an old Macbook.
Klaas Aug 7, 2019
Quoting: HoriThe problem is not the goal (clean code) the problem is how you go about achieving it. If you introduce bugs in the process, it's obviously bad.

When you go about refactoring code, you must be absolutely sure you know what you're doing, that what you aim to achieve is actually helpful and of good design, and that both the old code and the new code are properly covered by unit tests and/or automation tests so that you can proceed with a high degree of confidence that as long as the tests pass, what you change won't cause any regression, and in the outstanding case that it does, it should be caught by manual testing.

Exactly. Clean code isn't a bad goal, but if you rewrite instead of refactor and cleaning up there is a high chance to you introduce a huge number of new problems. There is a huge number of articles on the net (and in the literature) that deal with this topic. Writing good tests is hard. Complete manual tests are tedious, so in most cases there is only minimal testing and that is done in a way to check the intended changes.

Take the Konsole regression. The intention of the change was to make the code prettier and the UI sleeker at the same time by disabling changing the icon unless the tab uses a custom icon. Obviously after the bell (temporary custom icon) has been cleared the tab switches back to the default icon, so it is never set.

TL;DR: And there is a difference between refactoring something and rewriting it without a compelling reason. Often the thing that you want to get rid of because it looks like cruft is necessary to handle edge cases.
Projectile Vomit Aug 7, 2019
Well, this does suck. :(
TheSHEEEP Aug 7, 2019
View PC info
  • Supporter Plus
I'm using Manjaro with KDE Plasma, but since I'm not in the habit of downloading, installing or executing random files, I still feel pretty safe.
I've also been using Windows since many, many years without any kind of antivirus software and never had any problems whatsoever.

Frankly, nothing is ever entirely safe. And the biggest safety risk is not some software vulnerability sitting hidden behind some execution layers, but something entirely different sitting in front of the monitor...


Last edited by TheSHEEEP on 7 August 2019 at 4:47 pm UTC
FurbyOnSteroid Aug 7, 2019
Thanks for the heads-up.

Considering that I very rarely install anything, I think I will be just fine. Still, this needs to be fixed asap!

The guy that found it, nice but he really has to handle those things the right way. I'm certain he knows how to handle it correctly, but he just doesn't care. According to his twitter he is a "whitehat wizard" while sharing basically a tutorial on how to do it on one of kde's replies. I'm sorry but that's just.. I have many words and yet, I won't post any because I don't want this comment to be removed. Very untrustworthy and disqualifies him immediately as a "whitehat". Should be ashamed of his actions just to be "the cool kid".
WorMzy Aug 7, 2019
Quoting: TheSHEEEPFrankly, nothing is ever entirely safe. And the biggest safety risk is not some software vulnerability sitting hidden behind some execution layers, but something entirely different sitting in front of the monitor...

I always knew my cats were up to no good!
Shmerl Aug 7, 2019
Isn't there some way to disable automatic launching for such files? Autoruns is such an old nasty issue, that it's surprising KDE still has it enabled by default.


Last edited by Shmerl on 7 August 2019 at 7:10 pm UTC
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
The comments on this article are closed.
Buy Games
Buy games with our affiliate / partner links: