KDE and arbitrary code execution



KDE Project Security Advisory

Title: Plasma Desktop: Arbitrary command execution in the removable device notifier
Risk Rating: High
CVE: CVE-2018-6791
Versions: Plasma < 5.12.0
Date: 8 February 2018


When a vfat thumbdrive which contains `` or $() in its volume label is plugged
and mounted trough the device notifier, it’s interpreted as a shell command,
leaving a possibility of arbitrary commands execution. an example of offending
volume label is “$(touch b)” which will create a file called b in the
home folder.


Mount removable devices with Dolphin instead of the device notifier.


Update to Plasma >= 5.12.0 or Plasma >= 5.8.9

Or apply the following patches:
Plasma 5.8:
Plasma 5.9/5.10/5.11:


Thanks to ksieluzyckih for the report and to Marco Martin for the fix.

Source: https://www.kde.org/info/security/advisory-20180208-2.txt




This happens on big projects(like kde) when focus on code gets shaked…
I wonder how /G\nome is :slight_smile:


This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.