CVE-2018-6791 log

Severity High
Remote No
Type Arbitrary command execution
When a vfat thumbdrive which contains `` or $() in its volume label is plugged and mounted trough the device notifier, it's interpreted as a shell command, leaving a possibility of arbitrary commands execution. an example of offending volume label is "$(touch b)" which will create a file called b in the home folder.
Group Package Affected Fixed Severity Status Ticket
AVG-607 plasma-workspace 5.11.5-2 5.12.0-1 High Fixed
Date Advisory Group Package Severity Type
09 Feb 2018 ASA-201802-4 AVG-607 plasma-workspace High arbitrary command execution
workaround: Mount removable devices with Dolphin instead of the device notifier.