KDE has fixed a vulnerability within its KDE Framework that allowed for malicious code execution simply by viewing a .desktop file, by removing the feature being exploited altogether.
Earlier this week, a security researcher Dominik Penner published a proof of concept that showed how users could be compromised simply by viewing a malicious .desktop file, which is typically used to show an icon for a file or directory, in the KDE file browser.
The researcher did not notify KDE before dropping the vulnerability.
KDE responded on Wednesday by removing the feature to have shell commands as values in the KConfig files, which was described as an intentional feature that allowed for flexibility.
"A file manager trying to find out the icon for a file or directory could end up executing code, or any application using KConfig could end up executing malicious code during its startup phase for instance," a KDE Project security advisory said.
"After careful consideration, the entire feature of supporting shell commands in KConfig entries has been removed, because we couldn't find an actual use case for it."
KDE said anyone that uses the feature should contact the project, in order to determine whether creating a "secure solution" is needed.
"Thanks to Dominik Penner for finding and documenting this issue (we wish however that he would have contacted us before making the issue public) and to David Faure for the fix," the advisory said.
Users of KDE Frameworks 5 would update to 5.61.0, while those on kdelibs should apply the patch in the advisory.