CVE-2018-6791 log
| Source |
|
| Severity | High |
| Remote | No |
| Type | Arbitrary command execution |
| Description | When a vfat thumbdrive which contains `` or $() in its volume label is plugged and mounted trough the device notifier, it's interpreted as a shell command, leaving a possibility of arbitrary commands execution. an example of offending volume label is "$(touch b)" which will create a file called b in the home folder. |
| Group | Package | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|---|
| AVG-607 | plasma-workspace | 5.11.5-2 | 5.12.0-1 | High | Fixed |
| Date | Advisory | Group | Package | Severity | Type |
|---|---|---|---|---|---|
| 09 Feb 2018 | ASA-201802-4 | AVG-607 | plasma-workspace | High | arbitrary command execution |
| References |
|---|
https://www.kde.org/info/security/advisory-20180208-2.txt |
| Notes |
|---|
workaround: Mount removable devices with Dolphin instead of the device notifier. |