This bug was fixed in the package plasma-workspace - 4:5.10.5-0ubuntu1.1 --------------- plasma-workspace (4:5.10.5-0ubuntu1.1) artful-security; urgency=high
* SECURITY UPDATE: Arbitrary command execution in the removable device notifier (LP: #1748247): - fix-CVE-2018-6791.patch - CVE-2018-6791 -- Simon Quigley <tsimo...@ubuntu.com> Fri, 16 Mar 2018 23:02:49 -0500 ** Changed in: plasma-workspace (Ubuntu Artful) Status: In Progress => Fix Released ** Changed in: plasma-workspace (Ubuntu Xenial) Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1748247 Title: [CVE] Arbitrary command execution in the removable device notifier Status in Kubuntu PPA: Fix Released Status in Kubuntu PPA artful series: Fix Released Status in Kubuntu PPA xenial series: Fix Released Status in plasma-workspace package in Ubuntu: Fix Released Status in plasma-workspace source package in Xenial: Fix Released Status in plasma-workspace source package in Artful: Fix Released Status in plasma-workspace source package in Bionic: Fix Released Bug description: KDE Project Security Advisory ============================= Title: Plasma Desktop: Arbitrary command execution in the removable device notifier Risk Rating: High CVE: CVE-2018-6791 Versions: Plasma < 5.12.0 Date: 8 February 2018 Overview ======== When a vfat thumbdrive which contains `` or $() in its volume label is plugged and mounted trough the device notifier, it's interpreted as a shell command, leaving a possibility of arbitrary commands execution. an example of offending volume label is "$(touch b)" which will create a file called b in the home folder. Workaround ========== Mount removable devices with Dolphin instead of the device notifier. Solution ======== Update to Plasma >= 5.12.0 or Plasma >= 5.8.9 Or apply the following patches: Plasma 5.8: https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212 Plasma 5.9/5.10/5.11: https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57 Credits ======= Thanks to ksieluzyckih for the report and to Marco Martin for the fix. To manage notifications about this bug go to: https://bugs.launchpad.net/kubuntu-ppa/+bug/1748247/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp