CVE-2018-6791

Source
Severity High
Remote No
Type Arbitrary command execution
Description
When a vfat thumbdrive which contains `` or $() in its volume label is plugged and mounted trough the device notifier, it's interpreted as a shell command, leaving a possibility of arbitrary commands execution. an example of offending volume label is "$(touch b)" which will create a file called b in the home folder.
Group Package Affected Fixed Severity Status Ticket
AVG-607 plasma-workspace 5.11.5-2 5.12.0-1 High Fixed
Date Advisory Group Package Severity Description
09 Feb 2018 ASA-201802-4 AVG-607 plasma-workspace High arbitrary command execution
References
https://www.kde.org/info/security/advisory-20180208-2.txt
Notes
workaround: Mount removable devices with Dolphin instead of the device notifier.