[Group.of.nepali.translators] [Bug 1748247] Re: [CVE] Arbitrary command execution in the removable device notifier

[Launchpad Bug Tracker]

This bug was fixed in the package plasma-workspace - 4:5.10.5-0ubuntu1.1

---
plasma-workspace (4:5.10.5-0ubuntu1.1) artful-security; urgency=high

  * SECURITY UPDATE: Arbitrary command execution in the removable device
notifier (LP: #1748247):
- fix-CVE-2018-6791.patch
- CVE-2018-6791

 -- Simon Quigley   Fri, 16 Mar 2018 23:02:49 -0500

** Changed in: plasma-workspace (Ubuntu Artful)
   Status: In Progress => Fix Released

** Changed in: plasma-workspace (Ubuntu Xenial)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1748247

Title:
  [CVE] Arbitrary command execution in the removable device notifier

Status in Kubuntu PPA:
  Fix Released
Status in Kubuntu PPA artful series:
  Fix Released
Status in Kubuntu PPA xenial series:
  Fix Released
Status in plasma-workspace package in Ubuntu:
  Fix Released
Status in plasma-workspace source package in Xenial:
  Fix Released
Status in plasma-workspace source package in Artful:
  Fix Released
Status in plasma-workspace source package in Bionic:
  Fix Released

Bug description:
  KDE Project Security Advisory
  =

  Title:  Plasma Desktop: Arbitrary command execution in the removable 
device notifier
  Risk Rating:High
  CVE:CVE-2018-6791
  Versions:   Plasma < 5.12.0
  Date:   8 February 2018

  Overview
  
  When a vfat thumbdrive which contains `` or $() in its volume label is plugged
  and mounted trough the device notifier, it's interpreted as a shell command,
  leaving a possibility of arbitrary commands execution. an example of offending
  volume label is "$(touch b)" which will create a file called b in the
  home folder.

  Workaround
  ==
  Mount removable devices with Dolphin instead of the device notifier.

  Solution
  
  Update to Plasma >= 5.12.0 or Plasma >= 5.8.9

  Or apply the following patches:
  Plasma 5.8:
  
https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212
  Plasma 5.9/5.10/5.11:
  
https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57

  Credits
  ===
  Thanks to ksieluzyckih for the report and to Marco Martin for the fix.

To manage notifications about this bug go to:
https://bugs.launchpad.net/kubuntu-ppa/+bug/1748247/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1748247] Re: [CVE] Arbitrary command execution in the removable device notifier

[Simon Quigley]

So it looks like Backports already has the fixes.

** Changed in: kubuntu-ppa/artful
   Status: New => Fix Released

** Changed in: kubuntu-ppa/xenial
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1748247

Title:
  [CVE] Arbitrary command execution in the removable device notifier

Status in Kubuntu PPA:
  Fix Released
Status in Kubuntu PPA artful series:
  Fix Released
Status in Kubuntu PPA xenial series:
  Fix Released
Status in plasma-workspace package in Ubuntu:
  Fix Released
Status in plasma-workspace source package in Xenial:
  In Progress
Status in plasma-workspace source package in Artful:
  In Progress
Status in plasma-workspace source package in Bionic:
  Fix Released

Bug description:
  KDE Project Security Advisory
  =

  Title:  Plasma Desktop: Arbitrary command execution in the removable 
device notifier
  Risk Rating:High
  CVE:CVE-2018-6791
  Versions:   Plasma < 5.12.0
  Date:   8 February 2018

  Overview
  
  When a vfat thumbdrive which contains `` or $() in its volume label is plugged
  and mounted trough the device notifier, it's interpreted as a shell command,
  leaving a possibility of arbitrary commands execution. an example of offending
  volume label is "$(touch b)" which will create a file called b in the
  home folder.

  Workaround
  ==
  Mount removable devices with Dolphin instead of the device notifier.

  Solution
  
  Update to Plasma >= 5.12.0 or Plasma >= 5.8.9

  Or apply the following patches:
  Plasma 5.8:
  
https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212
  Plasma 5.9/5.10/5.11:
  
https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57

  Credits
  ===
  Thanks to ksieluzyckih for the report and to Marco Martin for the fix.

To manage notifications about this bug go to:
https://bugs.launchpad.net/kubuntu-ppa/+bug/1748247/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1748247] Re: [CVE] Arbitrary command execution in the removable device notifier

[Simon Quigley]

These fixes should be looked into for Backports too.

** Also affects: kubuntu-ppa
   Importance: Undecided
   Status: New

** Also affects: kubuntu-ppa/artful
   Importance: Undecided
   Status: New

** Also affects: kubuntu-ppa/xenial
   Importance: Undecided
   Status: New

** Changed in: kubuntu-ppa/artful
   Importance: Undecided => High

** Changed in: kubuntu-ppa/xenial
   Importance: Undecided => High

** Changed in: kubuntu-ppa/artful
 Assignee: (unassigned) => Simon Quigley (tsimonq2)

** Changed in: kubuntu-ppa/xenial
 Assignee: (unassigned) => Simon Quigley (tsimonq2)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1748247

Title:
  [CVE] Arbitrary command execution in the removable device notifier

Status in Kubuntu PPA:
  New
Status in Kubuntu PPA artful series:
  New
Status in Kubuntu PPA xenial series:
  New
Status in plasma-workspace package in Ubuntu:
  Fix Released
Status in plasma-workspace source package in Xenial:
  In Progress
Status in plasma-workspace source package in Artful:
  In Progress
Status in plasma-workspace source package in Bionic:
  Fix Released

Bug description:
  KDE Project Security Advisory
  =

  Title:  Plasma Desktop: Arbitrary command execution in the removable 
device notifier
  Risk Rating:High
  CVE:CVE-2018-6791
  Versions:   Plasma < 5.12.0
  Date:   8 February 2018

  Overview
  
  When a vfat thumbdrive which contains `` or $() in its volume label is plugged
  and mounted trough the device notifier, it's interpreted as a shell command,
  leaving a possibility of arbitrary commands execution. an example of offending
  volume label is "$(touch b)" which will create a file called b in the
  home folder.

  Workaround
  ==
  Mount removable devices with Dolphin instead of the device notifier.

  Solution
  
  Update to Plasma >= 5.12.0 or Plasma >= 5.8.9

  Or apply the following patches:
  Plasma 5.8:
  
https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212
  Plasma 5.9/5.10/5.11:
  
https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57

  Credits
  ===
  Thanks to ksieluzyckih for the report and to Marco Martin for the fix.

To manage notifications about this bug go to:
https://bugs.launchpad.net/kubuntu-ppa/+bug/1748247/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1748247] Re: [CVE] Arbitrary command execution in the removable device notifier

[Simon Quigley]

There isn't even a plasma-workspace on Trusty...

** No longer affects: plasma-workspace (Ubuntu Trusty)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1748247

Title:
  [CVE] Arbitrary command execution in the removable device notifier

Status in plasma-workspace package in Ubuntu:
  Fix Released
Status in plasma-workspace source package in Xenial:
  In Progress
Status in plasma-workspace source package in Artful:
  In Progress
Status in plasma-workspace source package in Bionic:
  Fix Released

Bug description:
  KDE Project Security Advisory
  =

  Title:  Plasma Desktop: Arbitrary command execution in the removable 
device notifier
  Risk Rating:High
  CVE:CVE-2018-6791
  Versions:   Plasma < 5.12.0
  Date:   8 February 2018

  Overview
  
  When a vfat thumbdrive which contains `` or $() in its volume label is plugged
  and mounted trough the device notifier, it's interpreted as a shell command,
  leaving a possibility of arbitrary commands execution. an example of offending
  volume label is "$(touch b)" which will create a file called b in the
  home folder.

  Workaround
  ==
  Mount removable devices with Dolphin instead of the device notifier.

  Solution
  
  Update to Plasma >= 5.12.0 or Plasma >= 5.8.9

  Or apply the following patches:
  Plasma 5.8:
  
https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212
  Plasma 5.9/5.10/5.11:
  
https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57

  Credits
  ===
  Thanks to ksieluzyckih for the report and to Marco Martin for the fix.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/plasma-workspace/+bug/1748247/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1748247] Re: [CVE] Arbitrary command execution in the removable device notifier

[Simon Quigley]

Debian says kde-runtime isn't affected, and I can confirm.

** Changed in: kde-runtime (Ubuntu Trusty)
   Status: In Progress => Invalid

** Changed in: kde-runtime (Ubuntu Xenial)
   Status: In Progress => Invalid

** No longer affects: kde-runtime (Ubuntu)

** No longer affects: kde-runtime (Ubuntu Trusty)

** No longer affects: kde-runtime (Ubuntu Xenial)

** No longer affects: kde-runtime (Ubuntu Artful)

** No longer affects: kde-runtime (Ubuntu Bionic)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1748247

Title:
  [CVE] Arbitrary command execution in the removable device notifier

Status in plasma-workspace package in Ubuntu:
  Fix Released
Status in plasma-workspace source package in Trusty:
  In Progress
Status in plasma-workspace source package in Xenial:
  In Progress
Status in plasma-workspace source package in Artful:
  In Progress
Status in plasma-workspace source package in Bionic:
  Fix Released

Bug description:
  KDE Project Security Advisory
  =

  Title:  Plasma Desktop: Arbitrary command execution in the removable 
device notifier
  Risk Rating:High
  CVE:CVE-2018-6791
  Versions:   Plasma < 5.12.0
  Date:   8 February 2018

  
  Overview
  
  When a vfat thumbdrive which contains `` or $() in its volume label is plugged
  and mounted trough the device notifier, it's interpreted as a shell command,
  leaving a possibility of arbitrary commands execution. an example of offending
  volume label is "$(touch b)" which will create a file called b in the
  home folder.

  Workaround
  ==
  Mount removable devices with Dolphin instead of the device notifier.

  Solution
  
  Update to Plasma >= 5.12.0 or Plasma >= 5.8.9

  Or apply the following patches:
  Plasma 5.8:
  
https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212
  Plasma 5.9/5.10/5.11:
  
https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57

  Credits
  ===
  Thanks to ksieluzyckih for the report and to Marco Martin for the fix.

  Patches for this bug should also contain fixes for CVE-2018-6790:

  KDE Project Security Advisory
  =

  Title:  Plasma: Notifications can expose user IP address
  Risk Rating:Low
  CVE:CVE-2018-6790
  Versions:   Plasma < 5.12.0
  Date:   8 February 2018

  
  Overview
  
  Plasma has support for the Desktop Nofications specification. That 
specification allows
  embedding images in notifications. Plasma was not sanitizing the HTML that 
forms the notification.
  That allowed for notifications to load a remote image leaking the user IP 
address. This is in turn
  made a bit worse by the fact that some chat software doesn't sanitize the 
text they send to the
  notification system either meaning that a third party could send a carefully 
crafted message
  to a chat room and get the IP addresses of the users in that chat room.

  Workaround
  ==
  Disable notifications

  Solution
  
  Update to Plasma >= 5.12.0 or Plasma >= 5.8.9

  Or apply the following patches:
  Plasma 5.8: 
https://cgit.kde.org/plasma-workspace.git/commit/?h=Plasma/5.8=5bc696b5abcdb460c1017592e80b2d7f6ed3107c

  Credits
  ===
  Thanks to David Edmundson for the fix.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/plasma-workspace/+bug/1748247/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1748247] Re: [CVE] Arbitrary command execution in the removable device notifier

[Rik Mills]

** Changed in: plasma-workspace (Ubuntu Bionic)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1748247

Title:
  [CVE] Arbitrary command execution in the removable device notifier

Status in kde-runtime package in Ubuntu:
  New
Status in plasma-workspace package in Ubuntu:
  Fix Released
Status in kde-runtime source package in Trusty:
  In Progress
Status in plasma-workspace source package in Trusty:
  In Progress
Status in kde-runtime source package in Xenial:
  In Progress
Status in plasma-workspace source package in Xenial:
  In Progress
Status in kde-runtime source package in Artful:
  In Progress
Status in plasma-workspace source package in Artful:
  In Progress
Status in kde-runtime source package in Bionic:
  New
Status in plasma-workspace source package in Bionic:
  Fix Released

Bug description:
  KDE Project Security Advisory
  =

  Title:  Plasma Desktop: Arbitrary command execution in the removable 
device notifier
  Risk Rating:High
  CVE:CVE-2018-6791
  Versions:   Plasma < 5.12.0
  Date:   8 February 2018

  
  Overview
  
  When a vfat thumbdrive which contains `` or $() in its volume label is plugged
  and mounted trough the device notifier, it's interpreted as a shell command,
  leaving a possibility of arbitrary commands execution. an example of offending
  volume label is "$(touch b)" which will create a file called b in the
  home folder.

  Workaround
  ==
  Mount removable devices with Dolphin instead of the device notifier.

  Solution
  
  Update to Plasma >= 5.12.0 or Plasma >= 5.8.9

  Or apply the following patches:
  Plasma 5.8:
  
https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212
  Plasma 5.9/5.10/5.11:
  
https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57

  Credits
  ===
  Thanks to ksieluzyckih for the report and to Marco Martin for the fix.

  Patches for this bug should also contain fixes for CVE-2018-6790:

  KDE Project Security Advisory
  =

  Title:  Plasma: Notifications can expose user IP address
  Risk Rating:Low
  CVE:CVE-2018-6790
  Versions:   Plasma < 5.12.0
  Date:   8 February 2018

  
  Overview
  
  Plasma has support for the Desktop Nofications specification. That 
specification allows
  embedding images in notifications. Plasma was not sanitizing the HTML that 
forms the notification.
  That allowed for notifications to load a remote image leaking the user IP 
address. This is in turn
  made a bit worse by the fact that some chat software doesn't sanitize the 
text they send to the
  notification system either meaning that a third party could send a carefully 
crafted message
  to a chat room and get the IP addresses of the users in that chat room.

  Workaround
  ==
  Disable notifications

  Solution
  
  Update to Plasma >= 5.12.0 or Plasma >= 5.8.9

  Or apply the following patches:
  Plasma 5.8: 
https://cgit.kde.org/plasma-workspace.git/commit/?h=Plasma/5.8=5bc696b5abcdb460c1017592e80b2d7f6ed3107c

  Credits
  ===
  Thanks to David Edmundson for the fix.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kde-runtime/+bug/1748247/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp