Package: kconfig / 5.54.0-1+deb10u1

Metadata

Package Version Patches format
kconfig 5.54.0-1+deb10u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
Allow packagers set kconfig_compiler install dir.patch | (download)

CMakeLists.txt | 3 3 + 0 - 0 !
src/kconfig_compiler/CMakeLists.txt | 2 1 + 1 - 0 !
2 files changed, 4 insertions(+), 1 deletion(-)

 allow packagers set kconfig_compiler install dir

CVE 2019 14744.patch | (download)

autotests/kconfigtest.cpp | 10 2 + 8 - 0 !
docs/options.md | 11 4 + 7 - 0 !
src/core/kconfig.cpp | 37 1 + 36 - 0 !
3 files changed, 7 insertions(+), 51 deletions(-)

 security: remove support for $(...) in config keys with [$e] marker.

Summary:
It is very unclear at this point what a valid use case for this feature
would possibly be. The old documentation only mentions $(hostname) as
an example, which can be done with $HOSTNAME instead.

Note that $(...) is still supported in Exec lines of desktop files,
this does not require [$e] anyway (and actually works better without it,
otherwise the $ signs need to be doubled to obey kconfig $e escaping rules...).

Test Plan:
ctest passes; various testcases with $(...) in desktop files,
directory files, and config files, no longer execute commands.

Reviewers: mdawson, aacid, broulik, davidedmundson, kossebau, apol, sitter, security-team

Reviewed By: mdawson, davidedmundson

Subscribers: ZaWertun, rikmills, fvogt, ngraham, kde-frameworks-devel

Tags: #frameworks