diff --git a/SOURCES/kdelibs-CVE-2019-14744-kconfig-malicious-desktop-files.patch b/SOURCES/kdelibs-CVE-2019-14744-kconfig-malicious-desktop-files.patch
new file mode 100644
index 0000000..9aa4b6d
--- /dev/null
+++ b/SOURCES/kdelibs-CVE-2019-14744-kconfig-malicious-desktop-files.patch
@@ -0,0 +1,85 @@
+diff --git a/kdecore/config/kconfig.cpp b/kdecore/config/kconfig.cpp
+index 7ea26a5..b30584b 100644
+--- a/kdecore/config/kconfig.cpp
++++ b/kdecore/config/kconfig.cpp
+@@ -160,37 +160,7 @@ QString KConfigPrivate::expandString(const QString& value)
+     int nDollarPos = aValue.indexOf( QLatin1Char('$') );
+     while( nDollarPos != -1 && nDollarPos+1 < aValue.length()) {
+         // there is at least one $
+-        if( aValue[nDollarPos+1] == QLatin1Char('(') ) {
+-            int nEndPos = nDollarPos+1;
+-            // the next character is not $
+-            while ( (nEndPos <= aValue.length()) && (aValue[nEndPos]!=QLatin1Char(')')) )
+-                nEndPos++;
+-            nEndPos++;
+-            QString cmd = aValue.mid( nDollarPos+2, nEndPos-nDollarPos-3 );
+-
+-            QString result;
+-            QByteArray oldpath = qgetenv( "PATH" );
+-            QByteArray newpath;
+-            if (KGlobal::hasMainComponent()) {
+-                newpath = QFile::encodeName(KGlobal::dirs()->resourceDirs("exe").join(QChar::fromLatin1(KPATH_SEPARATOR)));
+-                if (!newpath.isEmpty() && !oldpath.isEmpty())
+-                    newpath += KPATH_SEPARATOR;
+-            }
+-            newpath += oldpath;
+-            setenv( "PATH", newpath, 1/*overwrite*/ );
+-// FIXME: wince does not have pipes
+-#ifndef _WIN32_WCE
+-            FILE *fs = popen(QFile::encodeName(cmd).data(), "r");
+-            if (fs) {
+-                QTextStream ts(fs, QIODevice::ReadOnly);
+-                result = ts.readAll().trimmed();
+-                pclose(fs);
+-            }
+-#endif
+-            setenv( "PATH", oldpath, 1/*overwrite*/ );
+-            aValue.replace( nDollarPos, nEndPos-nDollarPos, result );
+-            nDollarPos += result.length();
+-        } else if( aValue[nDollarPos+1] != QLatin1Char('$') ) {
++        if( aValue[nDollarPos+1] != QLatin1Char('$') ) {
+             int nEndPos = nDollarPos+1;
+             // the next character is not $
+             QString aVarName;
+diff --git a/kdecore/doc/README.kiosk b/kdecore/doc/README.kiosk
+index b95002d..e4da590 100644
+--- a/kdecore/doc/README.kiosk
++++ b/kdecore/doc/README.kiosk
+@@ -639,19 +639,6 @@ the $USER environment variable. The user will not be able to change this entry.
+ The following syntax is also supported:
+ Name[$ei]=${USER}
+ 
+-
+-Shell Commands in KDE config files.
+-===================================
+-
+-Since KDE-3.1 arbitrary entries in configuration files can contain shell 
+-commands. This way the value of a configuration entry can be determined
+-dynamically at runtime. In order to use this the entry must be marked 
+-with [$e]. 
+-
+-Example:
+-Host[$e]=$(hostname)
+-
+-
+ KDE Kiosk Application API
+ ==========================
+ 
+diff --git a/kdecore/tests/kconfigtest.cpp b/kdecore/tests/kconfigtest.cpp
+index 78e6ad1..37ea3c2 100644
+--- a/kdecore/tests/kconfigtest.cpp
++++ b/kdecore/tests/kconfigtest.cpp
+@@ -479,12 +479,8 @@ void KConfigTest::testPath()
+   QCOMPARE(group.readPathEntry("withBraces", QString()), QString("file://" + HOMEPATH) );
+   QVERIFY(group.hasKey("URL"));
+   QCOMPARE(group.readEntry("URL", QString()), QString("file://" + HOMEPATH) );
+-#if !defined(Q_OS_WIN32) && !defined(Q_OS_MAC)
+-  // I don't know if this will work on windows
+-  // This test hangs on OS X
+   QVERIFY(group.hasKey("hostname"));
+-  QCOMPARE(group.readEntry("hostname", QString()), QHostInfo::localHostName());
+-#endif
++  QCOMPARE(group.readEntry("hostname", QString()), QString("(hostname)")); // the $ got removed because empty var name
+   QVERIFY(group.hasKey("noeol"));
+   QCOMPARE(group.readEntry("noeol", QString()), QString("foo"));
+ }
diff --git a/SPECS/kdelibs.spec b/SPECS/kdelibs.spec
index e96b809..c916bc6 100644
--- a/SPECS/kdelibs.spec
+++ b/SPECS/kdelibs.spec
@@ -42,7 +42,7 @@ Summary: KDE Libraries
 # shipped with kde applications, version...
 %global apps_version 15.04.1
 Version: 4.14.8
-Release: 10%{?dist}
+Release: 11%{?dist}
 
 Name: kdelibs
 Epoch: 6
@@ -204,6 +204,7 @@ Patch093: turn-the-packagekit-support-feature-off-by-default.patch
 ## security fix
 # Bug 1452068 - CVE-2017-8422 kdelibs: kauth: service invoking dbus is not properly checked and allows local privilege escalation
 Patch80: kdelibs-kauth-CVE-2017-8422.patch
+Patch81: kdelibs-CVE-2019-14744-kconfig-malicious-desktop-files.patch
 
 # rhel patches
 Patch100: solid-upower-0.99.patch
@@ -447,6 +448,7 @@ sed -i -e "s|@@VERSION_RELEASE@@|%{version}-%{release}|" kio/kio/kprotocolmanage
 
 # security fixes
 %patch80 -p1 -b .kdelibs-kauth-CVE-2017-8422
+%patch81 -p1 -b .CVE-2019-14744-kconfig-malicious-desktop-files
 
 # rhel patches
 %patch100 -p1 -b .solid-upower099
@@ -802,6 +804,10 @@ update-mime-database %{_datadir}/mime &> /dev/null || :
 
 
 %changelog
+* Thu Aug 08 2019 Jan Grulich <jgrulich@redhat.com> - 6:4.14.8-11
+- KConfig: malicious .desktop files would execute code
+  Resolves: bz#1740736
+
 * Thu Jun 06 2019 Jan Grulich <jgrulich@redhat.com> - 6:4.14.8-10
 - Do not fork konsole process when opening terminal from apps using dolphin-part
   Resolves: bz#1710362