They have hurried. And we are not surprised. Last Tuesday, a security investigator published un security flaw in Plasma and it did so without notifying its developers. The gesture, ugly and politely held in his face, he did because «I just wanted to leave a 0day before Defcon'I mean, because he wanted to get a bit of fame or to be talked about at the Defcon security conference. KDE Community has had to work against the clock, but it has already fixed the problem.
As they have published on social networks, the patches are now available in KDE neon, while they will soon appear in the official Ubuntu repositories for Canonical system-based operating systems that use the Plasma graphical environment, such as Kubuntu. This is a perfect example that explains one of the differences between Kubuntu and KDE neon: Plasma bugs, security or not, are fixed and available sooner in KDE neon, while Kubuntu users have to wait for the patches to be delivered to Canonical and it uploads them to their official repositories.
KDE Community fixes Plasma security flaw in about 24 hours
KDE developers have fixed the bug that allowed the execution of potentially malicious code. The update is already in neon and will appear in your distro shortly.https://t.co/1v8bFsL8gC
- KDE Community (@kdecommunity) August 7
The KDE developers have fixed the bug that allowed potentially dangerous code to run. The update is already in neon and will appear soon in your distribution.
Although the patch is already available (neon) or will be soon (official repositories), the KDE Community published last night the three possibilities to apply it manually:
- Update Frameworks to version 5.61. Frameworks 5.61 will be officially released next Saturday, but it usually takes about a week to reach the official repositories.
- Apply available patch here.
- Kdlibs 4.14 users should apply this other patch.
- And a fourth option added by the editor: patience. The simplest thing, considering that the failure can only be exploited if we download a .desktop or .directory file, is to wait and apply the patches from Discovery.
As we expected, KDE has responded. From here I can only say: thank you.