Earlier this week, BleepingComputer in the KDE desktop manager reported on a zero day code execution vulnerability that could allow a remote attackers to execute user commands by tricking them to extract an archive and open their folder. You may use the following free web scanning tool to know the issue directly. It was caused by.desktop and.directory files supporting shell commands that dynamically assigned a value to different KConfig entries, such as the Icon field. This may enable an attacker to generate malicious.desktop or.. directory files that execute code when a folder is opened by Cybersguards as shown below.
In order to correct this vulnerability, the KDE project has decided to remove support for the shell commands in the KConfig entries. Note that [$e] remains useful for environment variable expansion.
