[ASA-201802-4] plasma-workspace: arbitrary command execution
Arch Linux Security Advisory ASA-201802-4 = Severity: High Date: 2018-02-09 CVE-ID : CVE-2018-6791 Package : plasma-workspace Type: arbitrary command execution Remote : No Link: https://security.archlinux.org/AVG-607 Summary === The package plasma-workspace before version 5.12.0-1 is vulnerable to arbitrary command execution. Resolution == Upgrade to 5.12.0-1. # pacman -Syu "plasma-workspace>=5.12.0-1" The problem has been fixed upstream in version 5.12.0. Workaround == Mount removable devices with Dolphin instead of the device notifier. Description === When a vfat thumbdrive which contains `` or $() in its volume label is plugged and mounted trough the device notifier, it's interpreted as a shell command, leaving a possibility of arbitrary commands execution. an example of offending volume label is "$(touch b)" which will create a file called b in the home folder. Impact == A local attacker is able to execute arbitrary commands on the affected system by inserting and mounting a specially crafted thumbdrive. References == https://www.kde.org/info/security/advisory-20180208-2.txt https://security.archlinux.org/CVE-2018-6791 signature.asc Description: PGP signature
[ASA-201802-4] plasma-workspace: arbitrary command execution
[ASA-201802-4] plasma-workspace: arbitrary command execution Arch Linux Security Advisory ASA-201802-4 = Severity: High Date: 2018-02-09 CVE-ID : CVE-2018-6791 Package : plasma-workspace Type: arbitrary command execution Remote : No Link: https://security.archlinux.org/AVG-607 Summary === The package plasma-workspace before version 5.12.0-1 is vulnerable to arbitrary command execution. Resolution == Upgrade to 5.12.0-1. # pacman -Syu "plasma-workspace>=5.12.0-1" The problem has been fixed upstream in version 5.12.0. Workaround == Mount removable devices with Dolphin instead of the device notifier. Description === When a vfat thumbdrive which contains `` or $() in its volume label is plugged and mounted trough the device notifier, it's interpreted as a shell command, leaving a possibility of arbitrary commands execution. an example of offending volume label is "$(touch b)" which will create a file called b in the home folder. Impact == A local attacker is able to execute arbitrary commands on the affected system by inserting and mounting a specially crafted thumbdrive. References == https://www.kde.org/info/security/advisory-20180208-2.txt https://security.archlinux.org/CVE-2018-6791 signature.asc Description: PGP signature