Opened 9 months ago

Closed 6 months ago

#21554 closed enhancement (fixed)

kde-gear-25.08.0 falkon, kate, kwave, kmix

Reported by: Bruce Dubbs Owned by: Bruce Dubbs
Priority: normal Milestone: 12.4
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (6)

comment:1 by Douglas R. Reno, 8 months ago

Priority: normalhigh
Summary: kde-gear-25.04.1 falkon, kate, kwave, kmix (Wait until August)kde-gear-25.04.2 falkon, kate, kwave, kmix (Wait until August)

A security advisory has been posted for Konsole. 

A new security advisory for Konsole has been announced.

KDE Project Security Advisory
=============================

Title:           Konsole: Incorrect telnet scheme handling
Risk rating:     Critical
CVE:             CVE-2025-49091
Versions:        Konsole < 25.04.2
Date:            09 June 2025

Overview
========

Konsole supports loading URLs from the scheme handlers such as
telnet://URL. This can be executed regardless of whether the telnet
binary is available.

In this mode konsole had a path where if telnet was not available it
would fall back to using bash for the given arguments provided; which
is the URL provided. This allows an attacker to execute arbitrary
code.

Browsers typically provide a prompt when a user opens an external
scheme handler which would look suspicious, requiring user interaction
to be exploitable.

Impact
======

An attacker could trick a user into executing arbitrary code with a
malicious link and social engineering to make them accept it.

Workaround
==========

Install the telnet client, or delete the file:
/usr/share/applications/ktelnetservice6.desktop

Solution
========

Upgrade to konsole 25.04.2

Or apply the following patch:
http://commits.kde.org/konsole/39ffddb77763a32bc3f039514265506c6be73d48


Credits
=======

Thanks to Dennis Dast (proofnet GmbH) for reporting this issue.
Thanks to Kurt Hindenburg for fixing the issue.

While we do carry telnet, the path can probably be followed for other scheme handlers as well, given that this is in the code that handles all command launches from URL schemes. http://commits.kde.org/konsole/39ffddb77763a32bc3f039514265506c6be73d48

comment:2 by Douglas R. Reno, 8 months ago

It is not just telnet related.

Proof of concept I just came up with:

  • echo "whoami" > /tmp/poc.sh
  • rlogin:///tmp/poc.sh 
Warning: Could not find 'rlogin', starting '/bin/bash' instead.  Please check your profile settings.

renodr

I have tested and 'sudo' doesn't work, but this is still a rather serious problem.

To exploit this a user would need to right click on "rlogin:///tmp/poc.sh" and click Open Link

comment:3 by Bruce Dubbs, 8 months ago

Priority: highnormal

konsole has been updated so changing the priority back to normal.

comment:4 by Douglas R. Reno, 8 months ago

SA-12.3-054 issued for Konsole

comment:5 by Bruce Dubbs, 6 months ago

Milestone: 99-Waiting12.4
Owner: changed from blfs-book to Bruce Dubbs
Summary: kde-gear-25.04.2 falkon, kate, kwave, kmix (Wait until August)kde-gear-25.08.0 falkon, kate, kwave, kmix

Version 25.08.0 has been released.

comment:6 by Bruce Dubbs, 6 months ago

Resolution: fixed
Status: newclosed

Fixed at commit 3977048040.

Note: See TracTickets for help on using tickets.