Return to Level1Techs.com

KDE vulnerable to malicious .desktop and .directory files! Use caution!

kde
#1

It’s not just those files though. KDE seems to parse anything with a [Desktop Entry] as the beginning of the file. Be VERY careful with .desktop files on KDE right now, as this is basically a zero-day vulnerability.

3 Likes

#2

:joy: :joy: :joy: :joy: :joy: :joy: :joy:

According to Penner, this vulnerability exists in KDE version 4 and 5 and allows commands embedded in .desktop and .directory files to be executed simply by opening a folder, or in some cases, extracting an archive to the desktop.

Penner reported the bug to Ubuntu after publicly disclosing it. The researcher originally didn’t report it as he “wanted to drop a 0day for Defcon that people could experiment with”.

Almost all Linux distributions are currently utilizing vulnerable versions of KDE.

This Penner dude, was in it for the fame.

8 Likes

#3

Not reporting it to the kde team before making it public is a bad move.

11 Likes

#4

Yeah that is a massive dick move it would give them time to address the issue and patch. Then, the distros of Linux and BSD can ship it.

6 Likes

#5

It really exposes his motivations as a “security researcher”

4 Likes

#6

Kinda defeats the “with many eyes all bugs are shallow” when you keep it to yourself.

2 Likes

#7

https://phabricator.kde.org/D22979
looks like a fix is prepped

1 Like

#8

That was fast.

1 Like

#9

it’s quite a simple problem. it wouldve been no issue if the loser had practiced responsible disclosure

3 Likes

#10

InfoSuck media whores. People used to do that to Microsoft all the time.

Linux has gotten someone’s attention though. First Gnome and now KDE.

2 Likes

#11

You can’t do it on YouTube anymore, so they have to get creative…

0 Likes

#12

It would’ve been improper procedure to release it on youtube as well

0 Likes

#13

it seems the closer a DE/distro/whatever is closer the windows experience it gets vulnerable
gotta go i3 all the way

0 Likes