| Severity |
|
| Remote |
|
| Type |
| + |
Arbitrary command execution |
|
| Description |
| + |
When a vfat thumbdrive which contains `` or $() in its volume label is plugged and mounted trough the device notifier, it's interpreted as a shell command, leaving a possibility of arbitrary commands execution. an example of offending volume label is "$(touch b)" which will create a file called b in the home folder. |
|
| References |
| + |
https://www.kde.org/info/security/advisory-20180208-2.txt |
|
| Notes |
| + |
workaround: Mount removable devices with Dolphin instead of the device notifier. |
|