A zero-day code execution vulnerability in the KDE desktop manager has been resolved by removing support for shell commands in the KConfig configuration system. The vulnerability was caused by.desktop and.directory files supporting shell commands to dynamically assign a value to various KConfig entries such as a the Icon field. This could allow an attacker to create malicious.desktop or.directory files that perform code execution when a folder is opened as shown below in a test by BleepingComputer. The vulnerability is fixed by updating kconfig to version 5.61.0 or applying this patch.
Source: https://www.bleepingcomputer.com/news/security/kde-vulnerability-fixed-by-removing-shell-command-support/

