KDE vulnerable to malicious .desktop and .directory files! Use caution!

https://twitter.com/kdecommunity/status/1158795896454373376

It’s not just those files though. KDE seems to parse anything with a [Desktop Entry] as the beginning of the file. Be VERY careful with .desktop files on KDE right now, as this is basically a zero-day vulnerability.

3 Likes

:joy: :joy: :joy: :joy: :joy: :joy: :joy:

According to Penner, this vulnerability exists in KDE version 4 and 5 and allows commands embedded in .desktop and .directory files to be executed simply by opening a folder, or in some cases, extracting an archive to the desktop.

Penner reported the bug to Ubuntu after publicly disclosing it. The researcher originally didn’t report it as he “wanted to drop a 0day for Defcon that people could experiment with”.

Almost all Linux distributions are currently utilizing vulnerable versions of KDE.

This Penner dude, was in it for the fame.

8 Likes

Not reporting it to the kde team before making it public is a bad move.

11 Likes

Yeah that is a massive dick move it would give them time to address the issue and patch. Then, the distros of Linux and BSD can ship it.

6 Likes

It really exposes his motivations as a “security researcher”

4 Likes

Kinda defeats the “with many eyes all bugs are shallow” when you keep it to yourself.

2 Likes

https://phabricator.kde.org/D22979
looks like a fix is prepped

1 Like

That was fast.

1 Like

it’s quite a simple problem. it wouldve been no issue if the loser had practiced responsible disclosure

3 Likes

InfoSuck media whores. People used to do that to Microsoft all the time.

Linux has gotten someone’s attention though. First Gnome and now KDE.

2 Likes

You can’t do it on YouTube anymore, so they have to get creative…

It would’ve been improper procedure to release it on youtube as well

it seems the closer a DE/distro/whatever is closer the windows experience it gets vulnerable
gotta go i3 all the way