diff -Nru kconfig-5.56.0/debian/changelog kconfig-5.56.0/debian/changelog
--- kconfig-5.56.0/debian/changelog	2019-03-09 16:34:44.000000000 +0000
+++ kconfig-5.56.0/debian/changelog	2019-08-09 08:05:33.000000000 +0100
@@ -1,3 +1,13 @@
+kconfig (5.56.0-0ubuntu1.1) disco-security; urgency=medium
+
+  * SECURITY UPDATE: malicious .desktop files (and others) would execute
+    code (LP: #1839432).
+    - debian/patches/CVE-2019-14744.diff: removes the affected feature as
+      currently 'unused'.
+    - CVE-2019-14744
+
+ -- Rik Mills <rikmills@kubuntu.org>  Fri, 09 Aug 2019 08:05:33 +0100
+
 kconfig (5.56.0-0ubuntu1) disco; urgency=medium
 
   * New upstream release (5.56.0)
diff -Nru kconfig-5.56.0/debian/patches/CVE-2019-14744.diff kconfig-5.56.0/debian/patches/CVE-2019-14744.diff
--- kconfig-5.56.0/debian/patches/CVE-2019-14744.diff	1970-01-01 01:00:00.000000000 +0100
+++ kconfig-5.56.0/debian/patches/CVE-2019-14744.diff	2019-08-09 08:03:04.000000000 +0100
@@ -0,0 +1,147 @@
+From 5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22 Mon Sep 17 00:00:00 2001
+From: David Faure <faure@kde.org>
+Date: Wed, 7 Aug 2019 09:35:36 +0200
+Subject: Security: remove support for $(...) in config keys with [$e] marker.
+
+Summary:
+It is very unclear at this point what a valid use case for this feature
+would possibly be. The old documentation only mentions $(hostname) as
+an example, which can be done with $HOSTNAME instead.
+
+Note that $(...) is still supported in Exec lines of desktop files,
+this does not require [$e] anyway (and actually works better without it,
+otherwise the $ signs need to be doubled to obey kconfig $e escaping rules...).
+
+Test Plan:
+ctest passes; various testcases with $(...) in desktop files,
+directory files, and config files, no longer execute commands.
+
+Reviewers: mdawson, aacid, broulik, davidedmundson, kossebau, apol, sitter, security-team
+
+Reviewed By: mdawson, davidedmundson
+
+Subscribers: ZaWertun, rikmills, fvogt, ngraham, kde-frameworks-devel
+
+Tags: #frameworks
+
+Differential Revision: https://phabricator.kde.org/D22979
+---
+ autotests/kconfigtest.cpp | 10 ++--------
+ docs/options.md           | 11 ++++-------
+ src/core/kconfig.cpp      | 37 +------------------------------------
+ 3 files changed, 7 insertions(+), 51 deletions(-)
+
+diff --git a/autotests/kconfigtest.cpp b/autotests/kconfigtest.cpp
+index 410b5b8..9af3b46 100644
+--- a/autotests/kconfigtest.cpp
++++ b/autotests/kconfigtest.cpp
+@@ -38,7 +38,7 @@
+ #include <utime.h>
+ #endif
+ #ifndef Q_OS_WIN
+-#include <unistd.h> // gethostname
++#include <unistd.h> // getuid
+ #endif
+ 
+ KCONFIGGROUP_DECLARE_ENUM_QOBJECT(KConfigTest, Testing)
+@@ -546,14 +546,8 @@ void KConfigTest::testPath()
+     QCOMPARE(group.readPathEntry("withBraces", QString()), QString("file://" + HOMEPATH));
+     QVERIFY(group.hasKey("URL"));
+     QCOMPARE(group.readEntry("URL", QString()), QString("file://" + HOMEPATH));
+-#if !defined(Q_OS_WIN32) && !defined(Q_OS_MAC)
+-    // I don't know if this will work on windows
+-    // This test hangs on OS X
+     QVERIFY(group.hasKey("hostname"));
+-    char hostname[256];
+-    QVERIFY(::gethostname(hostname, sizeof(hostname)) == 0);
+-    QCOMPARE(group.readEntry("hostname", QString()), QString::fromLatin1(hostname));
+-#endif
++    QCOMPARE(group.readEntry("hostname", QString()), QStringLiteral("(hostname)")); // the $ got removed because empty var name
+     QVERIFY(group.hasKey("noeol"));
+     QCOMPARE(group.readEntry("noeol", QString()), QString("foo"));
+ 
+diff --git a/docs/options.md b/docs/options.md
+index c634c00..4a6e9bc 100644
+--- a/docs/options.md
++++ b/docs/options.md
+@@ -67,18 +67,15 @@ environment variables (and `XDG_CONFIG_HOME` in particular).
+ Shell Expansion
+ ---------------
+ 
+-If an entry is marked with `$e`, environment variables and shell commands will
+-be expanded.
++If an entry is marked with `$e`, environment variables will be expanded.
+ 
+     Name[$e]=$USER
+-    Host[$e]=$(hostname)
+ 
+ When the "Name" entry is read `$USER` will be replaced with the value of the
+-`$USER` environment variable, and `$(hostname)` will be replaced with the output
+-of the `hostname` command.
++`$USER` environment variable.
+ 
+-Note that the application will replace `$USER` and `$(hostname)` with their
+-respective expanded values after saving. To prevent this combine the `$e` option
++Note that the application will replace `$USER` with its
++expanded value after saving. To prevent this combine the `$e` option
+ with `$i` (immmutable) option.  For example:
+ 
+     Name[$ei]=$USER
+diff --git a/src/core/kconfig.cpp b/src/core/kconfig.cpp
+index e1b11ed..f6824ce 100644
+--- a/src/core/kconfig.cpp
++++ b/src/core/kconfig.cpp
+@@ -28,19 +28,6 @@
+ #include <cstdlib>
+ #include <fcntl.h>
+ 
+-#ifdef _MSC_VER
+-static inline FILE *popen(const char *cmd, const char *mode)
+-{
+-    return _popen(cmd, mode);
+-}
+-static inline int pclose(FILE *stream)
+-{
+-    return _pclose(stream);
+-}
+-#else
+-#include <unistd.h>
+-#endif
+-
+ #include "kconfigbackend_p.h"
+ #include "kconfiggroup.h"
+ 
+@@ -183,29 +170,7 @@ QString KConfigPrivate::expandString(const QString &value)
+     int nDollarPos = aValue.indexOf(QLatin1Char('$'));
+     while (nDollarPos != -1 && nDollarPos + 1 < aValue.length()) {
+         // there is at least one $
+-        if (aValue[nDollarPos + 1] == QLatin1Char('(')) {
+-            int nEndPos = nDollarPos + 1;
+-            // the next character is not $
+-            while ((nEndPos <= aValue.length()) && (aValue[nEndPos] != QLatin1Char(')'))) {
+-                nEndPos++;
+-            }
+-            nEndPos++;
+-            QString cmd = aValue.mid(nDollarPos + 2, nEndPos - nDollarPos - 3);
+-
+-            QString result;
+-
+-// FIXME: wince does not have pipes
+-#ifndef _WIN32_WCE
+-            FILE *fs = popen(QFile::encodeName(cmd).data(), "r");
+-            if (fs) {
+-                QTextStream ts(fs, QIODevice::ReadOnly);
+-                result = ts.readAll().trimmed();
+-                pclose(fs);
+-            }
+-#endif
+-            aValue.replace(nDollarPos, nEndPos - nDollarPos, result);
+-            nDollarPos += result.length();
+-        } else if (aValue[nDollarPos + 1] != QLatin1Char('$')) {
++        if (aValue[nDollarPos + 1] != QLatin1Char('$')) {
+             int nEndPos = nDollarPos + 1;
+             // the next character is not $
+             QStringRef aVarName;
+-- 
+cgit v1.1
+
diff -Nru kconfig-5.56.0/debian/patches/series kconfig-5.56.0/debian/patches/series
--- kconfig-5.56.0/debian/patches/series	2019-03-09 16:34:44.000000000 +0000
+++ kconfig-5.56.0/debian/patches/series	2019-08-09 08:05:05.000000000 +0100
@@ -1 +1,2 @@
 Allow-packagers-set-kconfig_compiler-install-dir.patch
+CVE-2019-14744.diff