[Group.of.nepali.translators] [Bug 1748247] Re: [CVE] Arbitrary command execution in the removable device notifier
This bug was fixed in the package plasma-workspace - 4:5.10.5-0ubuntu1.1 --- plasma-workspace (4:5.10.5-0ubuntu1.1) artful-security; urgency=high * SECURITY UPDATE: Arbitrary command execution in the removable device notifier (LP: #1748247): - fix-CVE-2018-6791.patch - CVE-2018-6791 -- Simon QuigleyFri, 16 Mar 2018 23:02:49 -0500 ** Changed in: plasma-workspace (Ubuntu Artful) Status: In Progress => Fix Released ** Changed in: plasma-workspace (Ubuntu Xenial) Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1748247 Title: [CVE] Arbitrary command execution in the removable device notifier Status in Kubuntu PPA: Fix Released Status in Kubuntu PPA artful series: Fix Released Status in Kubuntu PPA xenial series: Fix Released Status in plasma-workspace package in Ubuntu: Fix Released Status in plasma-workspace source package in Xenial: Fix Released Status in plasma-workspace source package in Artful: Fix Released Status in plasma-workspace source package in Bionic: Fix Released Bug description: KDE Project Security Advisory = Title: Plasma Desktop: Arbitrary command execution in the removable device notifier Risk Rating:High CVE:CVE-2018-6791 Versions: Plasma < 5.12.0 Date: 8 February 2018 Overview When a vfat thumbdrive which contains `` or $() in its volume label is plugged and mounted trough the device notifier, it's interpreted as a shell command, leaving a possibility of arbitrary commands execution. an example of offending volume label is "$(touch b)" which will create a file called b in the home folder. Workaround == Mount removable devices with Dolphin instead of the device notifier. Solution Update to Plasma >= 5.12.0 or Plasma >= 5.8.9 Or apply the following patches: Plasma 5.8: https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212 Plasma 5.9/5.10/5.11: https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57 Credits === Thanks to ksieluzyckih for the report and to Marco Martin for the fix. To manage notifications about this bug go to: https://bugs.launchpad.net/kubuntu-ppa/+bug/1748247/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1748247] Re: [CVE] Arbitrary command execution in the removable device notifier
So it looks like Backports already has the fixes. ** Changed in: kubuntu-ppa/artful Status: New => Fix Released ** Changed in: kubuntu-ppa/xenial Status: New => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1748247 Title: [CVE] Arbitrary command execution in the removable device notifier Status in Kubuntu PPA: Fix Released Status in Kubuntu PPA artful series: Fix Released Status in Kubuntu PPA xenial series: Fix Released Status in plasma-workspace package in Ubuntu: Fix Released Status in plasma-workspace source package in Xenial: In Progress Status in plasma-workspace source package in Artful: In Progress Status in plasma-workspace source package in Bionic: Fix Released Bug description: KDE Project Security Advisory = Title: Plasma Desktop: Arbitrary command execution in the removable device notifier Risk Rating:High CVE:CVE-2018-6791 Versions: Plasma < 5.12.0 Date: 8 February 2018 Overview When a vfat thumbdrive which contains `` or $() in its volume label is plugged and mounted trough the device notifier, it's interpreted as a shell command, leaving a possibility of arbitrary commands execution. an example of offending volume label is "$(touch b)" which will create a file called b in the home folder. Workaround == Mount removable devices with Dolphin instead of the device notifier. Solution Update to Plasma >= 5.12.0 or Plasma >= 5.8.9 Or apply the following patches: Plasma 5.8: https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212 Plasma 5.9/5.10/5.11: https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57 Credits === Thanks to ksieluzyckih for the report and to Marco Martin for the fix. To manage notifications about this bug go to: https://bugs.launchpad.net/kubuntu-ppa/+bug/1748247/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1748247] Re: [CVE] Arbitrary command execution in the removable device notifier
These fixes should be looked into for Backports too. ** Also affects: kubuntu-ppa Importance: Undecided Status: New ** Also affects: kubuntu-ppa/artful Importance: Undecided Status: New ** Also affects: kubuntu-ppa/xenial Importance: Undecided Status: New ** Changed in: kubuntu-ppa/artful Importance: Undecided => High ** Changed in: kubuntu-ppa/xenial Importance: Undecided => High ** Changed in: kubuntu-ppa/artful Assignee: (unassigned) => Simon Quigley (tsimonq2) ** Changed in: kubuntu-ppa/xenial Assignee: (unassigned) => Simon Quigley (tsimonq2) -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1748247 Title: [CVE] Arbitrary command execution in the removable device notifier Status in Kubuntu PPA: New Status in Kubuntu PPA artful series: New Status in Kubuntu PPA xenial series: New Status in plasma-workspace package in Ubuntu: Fix Released Status in plasma-workspace source package in Xenial: In Progress Status in plasma-workspace source package in Artful: In Progress Status in plasma-workspace source package in Bionic: Fix Released Bug description: KDE Project Security Advisory = Title: Plasma Desktop: Arbitrary command execution in the removable device notifier Risk Rating:High CVE:CVE-2018-6791 Versions: Plasma < 5.12.0 Date: 8 February 2018 Overview When a vfat thumbdrive which contains `` or $() in its volume label is plugged and mounted trough the device notifier, it's interpreted as a shell command, leaving a possibility of arbitrary commands execution. an example of offending volume label is "$(touch b)" which will create a file called b in the home folder. Workaround == Mount removable devices with Dolphin instead of the device notifier. Solution Update to Plasma >= 5.12.0 or Plasma >= 5.8.9 Or apply the following patches: Plasma 5.8: https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212 Plasma 5.9/5.10/5.11: https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57 Credits === Thanks to ksieluzyckih for the report and to Marco Martin for the fix. To manage notifications about this bug go to: https://bugs.launchpad.net/kubuntu-ppa/+bug/1748247/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1748247] Re: [CVE] Arbitrary command execution in the removable device notifier
There isn't even a plasma-workspace on Trusty... ** No longer affects: plasma-workspace (Ubuntu Trusty) -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1748247 Title: [CVE] Arbitrary command execution in the removable device notifier Status in plasma-workspace package in Ubuntu: Fix Released Status in plasma-workspace source package in Xenial: In Progress Status in plasma-workspace source package in Artful: In Progress Status in plasma-workspace source package in Bionic: Fix Released Bug description: KDE Project Security Advisory = Title: Plasma Desktop: Arbitrary command execution in the removable device notifier Risk Rating:High CVE:CVE-2018-6791 Versions: Plasma < 5.12.0 Date: 8 February 2018 Overview When a vfat thumbdrive which contains `` or $() in its volume label is plugged and mounted trough the device notifier, it's interpreted as a shell command, leaving a possibility of arbitrary commands execution. an example of offending volume label is "$(touch b)" which will create a file called b in the home folder. Workaround == Mount removable devices with Dolphin instead of the device notifier. Solution Update to Plasma >= 5.12.0 or Plasma >= 5.8.9 Or apply the following patches: Plasma 5.8: https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212 Plasma 5.9/5.10/5.11: https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57 Credits === Thanks to ksieluzyckih for the report and to Marco Martin for the fix. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/plasma-workspace/+bug/1748247/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1748247] Re: [CVE] Arbitrary command execution in the removable device notifier
Debian says kde-runtime isn't affected, and I can confirm. ** Changed in: kde-runtime (Ubuntu Trusty) Status: In Progress => Invalid ** Changed in: kde-runtime (Ubuntu Xenial) Status: In Progress => Invalid ** No longer affects: kde-runtime (Ubuntu) ** No longer affects: kde-runtime (Ubuntu Trusty) ** No longer affects: kde-runtime (Ubuntu Xenial) ** No longer affects: kde-runtime (Ubuntu Artful) ** No longer affects: kde-runtime (Ubuntu Bionic) -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1748247 Title: [CVE] Arbitrary command execution in the removable device notifier Status in plasma-workspace package in Ubuntu: Fix Released Status in plasma-workspace source package in Trusty: In Progress Status in plasma-workspace source package in Xenial: In Progress Status in plasma-workspace source package in Artful: In Progress Status in plasma-workspace source package in Bionic: Fix Released Bug description: KDE Project Security Advisory = Title: Plasma Desktop: Arbitrary command execution in the removable device notifier Risk Rating:High CVE:CVE-2018-6791 Versions: Plasma < 5.12.0 Date: 8 February 2018 Overview When a vfat thumbdrive which contains `` or $() in its volume label is plugged and mounted trough the device notifier, it's interpreted as a shell command, leaving a possibility of arbitrary commands execution. an example of offending volume label is "$(touch b)" which will create a file called b in the home folder. Workaround == Mount removable devices with Dolphin instead of the device notifier. Solution Update to Plasma >= 5.12.0 or Plasma >= 5.8.9 Or apply the following patches: Plasma 5.8: https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212 Plasma 5.9/5.10/5.11: https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57 Credits === Thanks to ksieluzyckih for the report and to Marco Martin for the fix. Patches for this bug should also contain fixes for CVE-2018-6790: KDE Project Security Advisory = Title: Plasma: Notifications can expose user IP address Risk Rating:Low CVE:CVE-2018-6790 Versions: Plasma < 5.12.0 Date: 8 February 2018 Overview Plasma has support for the Desktop Nofications specification. That specification allows embedding images in notifications. Plasma was not sanitizing the HTML that forms the notification. That allowed for notifications to load a remote image leaking the user IP address. This is in turn made a bit worse by the fact that some chat software doesn't sanitize the text they send to the notification system either meaning that a third party could send a carefully crafted message to a chat room and get the IP addresses of the users in that chat room. Workaround == Disable notifications Solution Update to Plasma >= 5.12.0 or Plasma >= 5.8.9 Or apply the following patches: Plasma 5.8: https://cgit.kde.org/plasma-workspace.git/commit/?h=Plasma/5.8=5bc696b5abcdb460c1017592e80b2d7f6ed3107c Credits === Thanks to David Edmundson for the fix. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/plasma-workspace/+bug/1748247/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1748247] Re: [CVE] Arbitrary command execution in the removable device notifier
** Changed in: plasma-workspace (Ubuntu Bionic) Status: New => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1748247 Title: [CVE] Arbitrary command execution in the removable device notifier Status in kde-runtime package in Ubuntu: New Status in plasma-workspace package in Ubuntu: Fix Released Status in kde-runtime source package in Trusty: In Progress Status in plasma-workspace source package in Trusty: In Progress Status in kde-runtime source package in Xenial: In Progress Status in plasma-workspace source package in Xenial: In Progress Status in kde-runtime source package in Artful: In Progress Status in plasma-workspace source package in Artful: In Progress Status in kde-runtime source package in Bionic: New Status in plasma-workspace source package in Bionic: Fix Released Bug description: KDE Project Security Advisory = Title: Plasma Desktop: Arbitrary command execution in the removable device notifier Risk Rating:High CVE:CVE-2018-6791 Versions: Plasma < 5.12.0 Date: 8 February 2018 Overview When a vfat thumbdrive which contains `` or $() in its volume label is plugged and mounted trough the device notifier, it's interpreted as a shell command, leaving a possibility of arbitrary commands execution. an example of offending volume label is "$(touch b)" which will create a file called b in the home folder. Workaround == Mount removable devices with Dolphin instead of the device notifier. Solution Update to Plasma >= 5.12.0 or Plasma >= 5.8.9 Or apply the following patches: Plasma 5.8: https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212 Plasma 5.9/5.10/5.11: https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57 Credits === Thanks to ksieluzyckih for the report and to Marco Martin for the fix. Patches for this bug should also contain fixes for CVE-2018-6790: KDE Project Security Advisory = Title: Plasma: Notifications can expose user IP address Risk Rating:Low CVE:CVE-2018-6790 Versions: Plasma < 5.12.0 Date: 8 February 2018 Overview Plasma has support for the Desktop Nofications specification. That specification allows embedding images in notifications. Plasma was not sanitizing the HTML that forms the notification. That allowed for notifications to load a remote image leaking the user IP address. This is in turn made a bit worse by the fact that some chat software doesn't sanitize the text they send to the notification system either meaning that a third party could send a carefully crafted message to a chat room and get the IP addresses of the users in that chat room. Workaround == Disable notifications Solution Update to Plasma >= 5.12.0 or Plasma >= 5.8.9 Or apply the following patches: Plasma 5.8: https://cgit.kde.org/plasma-workspace.git/commit/?h=Plasma/5.8=5bc696b5abcdb460c1017592e80b2d7f6ed3107c Credits === Thanks to David Edmundson for the fix. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kde-runtime/+bug/1748247/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp