It’s not just those files though. KDE seems to parse anything with a [Desktop Entry]
as the beginning of the file. Be VERY careful with .desktop
files on KDE right now, as this is basically a zero-day vulnerability.
According to Penner, this vulnerability exists in KDE version 4 and 5 and allows commands embedded in .desktop and .directory files to be executed simply by opening a folder, or in some cases, extracting an archive to the desktop.
Penner reported the bug to Ubuntu after publicly disclosing it. The researcher originally didn’t report it as he “wanted to drop a 0day for Defcon that people could experiment with”.
Almost all Linux distributions are currently utilizing vulnerable versions of KDE.
This Penner dude, was in it for the fame.
Not reporting it to the kde team before making it public is a bad move.
Yeah that is a massive dick move it would give them time to address the issue and patch. Then, the distros of Linux and BSD can ship it.
It really exposes his motivations as a “security researcher”
Kinda defeats the “with many eyes all bugs are shallow” when you keep it to yourself.
That was fast.
it’s quite a simple problem. it wouldve been no issue if the loser had practiced responsible disclosure
InfoSuck media whores. People used to do that to Microsoft all the time.
Linux has gotten someone’s attention though. First Gnome and now KDE.
You can’t do it on YouTube anymore, so they have to get creative…
It would’ve been improper procedure to release it on youtube as well
it seems the closer a DE/distro/whatever is closer the windows experience it gets vulnerable
gotta go i3 all the way