[ASA-201802-4] plasma-workspace: arbitrary command execution
Arch Linux Security Advisory ASA-201802-4 = Severity: High Date: 2018-02-09 CVE-ID : CVE-2018-6791 Package : plasma-workspace Type: arbitrary command execution Remote : No Link: https://security.archlinux.org/AVG-607 Summary === The package plasma-workspace before version 5.12.0-1 is vulnerable to arbitrary command execution. Resolution == Upgrade to 5.12.0-1. # pacman -Syu "plasma-workspace>=5.12.0-1" The problem has been fixed upstream in version 5.12.0. Workaround == Mount removable devices with Dolphin instead of the device notifier. Description === When a vfat thumbdrive which contains `` or $() in its volume label is plugged and mounted trough the device notifier, it's interpreted as a shell command, leaving a possibility of arbitrary commands execution. an example of offending volume label is "$(touch b)" which will create a file called b in the home folder. Impact == A local attacker is able to execute arbitrary commands on the affected system by inserting and mounting a specially crafted thumbdrive. References == https://www.kde.org/info/security/advisory-20180208-2.txt https://security.archlinux.org/CVE-2018-6791 signature.asc Description: PGP signature
[ASA-201802-4] plasma-workspace: arbitrary command execution
[ASA-201802-4] plasma-workspace: arbitrary command execution Arch Linux Security Advisory ASA-201802-4 = Severity: High Date: 2018-02-09 CVE-ID : CVE-2018-6791 Package : plasma-workspace Type: arbitrary command execution Remote : No Link: https://security.archlinux.org/AVG-607 Summary === The package plasma-workspace before version 5.12.0-1 is vulnerable to arbitrary command execution. Resolution == Upgrade to 5.12.0-1. # pacman -Syu "plasma-workspace>=5.12.0-1" The problem has been fixed upstream in version 5.12.0. Workaround == Mount removable devices with Dolphin instead of the device notifier. Description === When a vfat thumbdrive which contains `` or $() in its volume label is plugged and mounted trough the device notifier, it's interpreted as a shell command, leaving a possibility of arbitrary commands execution. an example of offending volume label is "$(touch b)" which will create a file called b in the home folder. Impact == A local attacker is able to execute arbitrary commands on the affected system by inserting and mounting a specially crafted thumbdrive. References == https://www.kde.org/info/security/advisory-20180208-2.txt https://security.archlinux.org/CVE-2018-6791 signature.asc Description: PGP signature
[ASA-201802-3] go-pie: arbitrary code execution
Arch Linux Security Advisory ASA-201802-3 = Severity: High Date: 2018-02-09 CVE-ID : CVE-2018-6574 Package : go-pie Type: arbitrary code execution Remote : Yes Link: https://security.archlinux.org/AVG-606 Summary === The package go-pie before version 1.9.4-1 is vulnerable to arbitrary code execution. Resolution == Upgrade to 1.9.4-1. # pacman -Syu "go-pie>=1.9.4-1" The problem has been fixed upstream in version 1.9.4. Workaround == None. Description === Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked. Impact == A remote attacker is able to trick the “go get” command into executing arbitrary code by passing a maliciously-crafted flag to the gcc or clang backends. References == https://github.com/golang/go/issues/23672 https://go.googlesource.com/go/+/867fb18b6d5bc73266b68c9a695558a04e060a8a https://groups.google.com/forum/m/#!msg/golang-nuts/Gbhh1NxAjMU/dfW69X50AgAJ https://security.archlinux.org/CVE-2018-6574 signature.asc Description: PGP signature
