Rex Dieter wrote:
FYI, some background,
https://kde.org/info/security/advisory-20190807-1.txt
Upstream decided to disable/remove support for shell commands in kconfig.
Fedora currently utilizes this feature for kde4 local localized user-dir
support via kdeglobals snippet:
kde-profile/minimal/share/config/kdeglobals:
[Paths]
Desktop[$e]=$(xdg-user-dir DESKTOP)
Documents[$e]=$(xdg-user-dir DOCUMENTS)
Personally, now as this apparently only affects kde4 codepaths, I'm
comfortable following upstream's approach as it at most affects only a
small handful of applications still using kde4 libraries.
Thoughts?
As an update on this: We discussed this with security(a)kde.org. It turns out
that kdelibs 4 does not need these settings anymore, it will pick the
correct directories by default. So we should just remove these default
settings.
kdelibs3 (which uses the same configuration files as kdelibs 4) is another
story, and I am looking into it (I already have a backport of the security
fix ready, but I have not looked into using the correct Desktop and
Documents directories out of the box yet), but it should not block the
security fix. Ancient KDE 3 applications picking the wrong Desktop and/or
Documents directories definitely has less impact than leaving the security
issue unfixed for both kdelibs 3 and 4 (which share the same configuration
files).
Kevin Kofler