{"id":"CVE-2019-14744","details":"In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.","modified":"2026-05-18T17:42:35.685021Z","published":"2019-08-07T15:15:13.970Z","related":["openSUSE-SU-2019:1851-1","openSUSE-SU-2019:1851-2","openSUSE-SU-2019:1855-1","openSUSE-SU-2019:1898-1","openSUSE-SU-2024:10889-1"],"database_specific":{"unresolved_ranges":[{"vendor_product":"canonical:ubuntu_linux","source":"CPE_FIELD","cpes":["cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"16.04"},{"last_affected":"18.04"},{"last_affected":"19.04"}]},{"vendor_product":"debian:debian_linux","source":"CPE_FIELD","cpes":["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"9.0"},{"last_affected":"10.0"}]},{"vendor_product":"fedoraproject:fedora","source":"CPE_FIELD","cpes":["cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"29"},{"last_affected":"30"}]},{"vendor_product":"opensuse:backports_sle","source":"CPE_FIELD","cpes":["cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"15.0-sp1"}]},{"vendor_product":"redhat:enterprise_linux_desktop","source":"CPE_FIELD","cpes":["cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"7.0"}]},{"vendor_product":"redhat:enterprise_linux_server","source":"CPE_FIELD","cpes":["cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"7.0"}]},{"vendor_product":"redhat:enterprise_linux_workstation","source":"CPE_FIELD","cpes":["cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"7.0"}]}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5IRIKH7ZWXELIQT6WSLV7EG3VTFWKZPD/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNHO6FZRYBQ2R3UCFDGS66F6DNNTKCMM/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYKLUSSEK3YJOVQDL6K2LKGS3354UH6L/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTFBQRJAU7ITD3TOMPZAUQMYYCAZ6DTX/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIDXQ6CUB5E7Y3MJWCUY4VR42QAE6SCJ/"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00034.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:2606"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/08/msg00023.html"},{"type":"ADVISORY","url":"https://seclists.org/bugtraq/2019/Aug/12"},{"type":"ADVISORY","url":"https://seclists.org/bugtraq/2019/Aug/9"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201908-07"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4100-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2019/dsa-4494"},{"type":"ADVISORY","url":"https://www.zdnet.com/article/unpatched-kde-vulnerability-disclosed-on-twitter/"},{"type":"FIX","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00013.html"},{"type":"FIX","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00016.html"},{"type":"FIX","url":"http://packetstormsecurity.com/files/153981/Slackware-Security-Advisory-kdelibs-Updates.html"},{"type":"EVIDENCE","url":"https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/kde/kconfig","events":[{"introduced":"0"},{"fixed":"01674d7d5b1d8d0f21193f00265bf923fda71dc1"}],"database_specific":{"cpe":"cpe:2.3:a:kde:kconfig:*:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"5.61.0"}]}}],"versions":["v5.61.0-rc1","v4.100.0-rc1","v4.98.0","v4.97.0","v4.96.0","v4.95.0"],"database_specific":{"vanir_signatures":[{"deprecated":false,"target":{"file":"src/core/kconfig.cpp","function":"pclose"},"source":"https://github.com/kde/kconfig/commit/01674d7d5b1d8d0f21193f00265bf923fda71dc1","signature_version":"v1","signature_type":"Function","id":"CVE-2019-14744-1c7393f5","digest":{"length":78,"function_hash":"166287550091562779193981306668315568857"}},{"deprecated":false,"target":{"file":"autotests/kconfigtest.cpp","function":"KConfigTest::testPath"},"source":"https://github.com/kde/kconfig/commit/01674d7d5b1d8d0f21193f00265bf923fda71dc1","signature_version":"v1","signature_type":"Function","id":"CVE-2019-14744-320960f8","digest":{"length":2344,"function_hash":"201227975064063643500654209063474585945"}},{"deprecated":false,"target":{"file":"src/core/kconfig.cpp"},"source":"https://github.com/kde/kconfig/commit/01674d7d5b1d8d0f21193f00265bf923fda71dc1","signature_version":"v1","signature_type":"Line","id":"CVE-2019-14744-61ba312a","digest":{"threshold":0.9,"line_hashes":["219238070457140180782464651918423636149","38491282600862164353026772136766264913","77473684727101397003423434382086957922","123576541135020462325223209333002481892","243270112199528120021337049640063687340","179232034900449800194992977139071032662","28202976460566135180869651120575273973","257509060350184225176200564890918695238","255654872450667205134243279706975197359","264809491138171191926012690386370160699","143875182632039205929116491628038440693","230704496539716751043063099538078582515","258568453730135438542824856882267925598","751752657148072855984840805065044404","232539804994714740895294641664614644177","223908355289972397329117619322475959895","123359929852011967075040357726367133726","183620047286281769889605689584128899238","314224693445691058727953396780970015458","86145373309543523888844720041847637281","21966175074445045118325256684733246134","85727537607326181577550844617464997181","256102095870506990409813761347665498543","119135648912785358602252128473603736170","54540603266613982471755358018667943681","244317761682267316327482097989042258989","296207873477699354380409116829593071433","44735070715816076088362537488525571293","216357978125872459852245291731832096254","13885507227288685944939745929673310517","97229892384057337916262104037871851087","195677081610674128256962900863103062830","338945489393647297934586417511872891919","286292191644850487457661984672918182557","185493591544518217405171905016427751511","109023484862263956099523302032545832009","50834886412605956583584330568090482115"]}},{"deprecated":false,"target":{"file":"src/core/kconfig.cpp","function":"KConfigPrivate::expandString"},"source":"https://github.com/kde/kconfig/commit/01674d7d5b1d8d0f21193f00265bf923fda71dc1","signature_version":"v1","signature_type":"Function","id":"CVE-2019-14744-c1839bd9","digest":{"length":2118,"function_hash":"149366800661875045146523857866184181742"}},{"deprecated":false,"target":{"file":"src/core/kconfig.cpp","function":"popen"},"source":"https://github.com/kde/kconfig/commit/01674d7d5b1d8d0f21193f00265bf923fda71dc1","signature_version":"v1","signature_type":"Function","id":"CVE-2019-14744-e8406776","digest":{"length":116,"function_hash":"241482068227347318536435887937755967892"}},{"deprecated":false,"target":{"file":"autotests/kconfigtest.cpp"},"source":"https://github.com/kde/kconfig/commit/01674d7d5b1d8d0f21193f00265bf923fda71dc1","signature_version":"v1","signature_type":"Line","id":"CVE-2019-14744-ed6f5eec","digest":{"threshold":0.9,"line_hashes":["274983871087735361117106027363551023157","113313227363192657344864747164063665631","315646538174608672540088760809254909790","22524664523741219598618095927819121532","59194077536573723938310378385337659362","129599921055282812438646111261266311229","49434401398152834330291590172135522192","250697576943176049593587069711254216377","153232625496564923540418561100868624756","169829718039119230167840947785967827157","257586542011894381248965637057220297746","58073473305846995140395636030945561365","210712362608107427662996579891113002721"]}}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-14744.json","vanir_signatures_modified":"2026-05-18T17:42:35Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}