Rex Dieter wrote: > FYI, some background, > > https://kde.org/info/security/advisory-20190807-1.txt > > Upstream decided to disable/remove support for shell commands in kconfig. > Fedora currently utilizes this feature for kde4 local localized user-dir > support via kdeglobals snippet: > > kde-profile/minimal/share/config/kdeglobals: > > [Paths] > Desktop[$e]=$(xdg-user-dir DESKTOP) > Documents[$e]=$(xdg-user-dir DOCUMENTS) > > > Personally, now as this apparently only affects kde4 codepaths, I'm > comfortable following upstream's approach as it at most affects only a > small handful of applications still using kde4 libraries. > > Thoughts? As an update on this: We discussed this with security@xxxxxxx. It turns out that kdelibs 4 does not need these settings anymore, it will pick the correct directories by default. So we should just remove these default settings. kdelibs3 (which uses the same configuration files as kdelibs 4) is another story, and I am looking into it (I already have a backport of the security fix ready, but I have not looked into using the correct Desktop and Documents directories out of the box yet), but it should not block the security fix. Ancient KDE 3 applications picking the wrong Desktop and/or Documents directories definitely has less impact than leaving the security issue unfixed for both kdelibs 3 and 4 (which share the same configuration files). Kevin Kofler _______________________________________________ kde mailing list -- kde@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kde-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kde@xxxxxxxxxxxxxxxxxxxxxxx
