Your submission was sent successfully! Close

CVE-2018-6791

Published: 07 February 2018

An issue was discovered in soliduiserver/deviceserviceaction.cpp in KDE Plasma Workspace before 5.12.0. When a vfat thumbdrive that contains `` or $() in its volume label is plugged in and mounted through the device notifier, it's interpreted as a shell command, leading to a possibility of arbitrary command execution. An example of an offending volume label is "$(touch b)" -- this will create a file called b in the home folder.

Priority

Medium

CVSS 3 base score: 6.8

Status

Package Release Status
kde-workspace
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needs-triage)
plasma-workspace
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(4:5.12.1-0ubuntu1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (4:5.5.5.2-0ubuntu1.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://cgit.kde.org/plasma-workspace.git/commit/?id=9db872df82c258315c6ebad800af59e81ffb9212