| Severity |
|
| Remote |
|
| Type |
| - |
Unknown |
| + |
Arbitrary code execution |
|
| Description |
| + |
Several issues have been found in kdeconnect <= 20.08.1 where a remote, unauthenticated attacker on the local network can access sensitive information, crash the daemon or possibly execute arbitrary code via a use-after-free. |
|
| References |
| + |
https://www.openwall.com/lists/oss-security/2020/10/13/4 |
| + |
https://kde.org/info/security/advisory-20201002-1.txt |
|
| Notes |
| + |
Workaround |
| + |
========== |
| + |
|
| + |
We advise you to stop KDE Connect when on untrusted networks like those on airports or conferences. |
| + |
|
| + |
Since kdeconnect is dbus activated it is relatively hard to make sure it stays stopped so the brute |
| + |
force approach is to uninstall the kdeconnect package from your system and then run |
| + |
kquitapp5 kdeconnectd |
| + |
Just install the package again once you're back in a trusted network. |
|