I remember having a discussion with the security team and forgot to update this bug...
CVE-2018-6790 isn't worth patching because it's a low priority CVE with an intrusive patch. So I consider that Won't Fix. ** Description changed: KDE Project Security Advisory ============================= Title: Plasma Desktop: Arbitrary command execution in the removable device notifier Risk Rating: High CVE: CVE-2018-6791 Versions: Plasma < 5.12.0 Date: 8 February 2018 - Overview ======== When a vfat thumbdrive which contains `` or $() in its volume label is plugged and mounted trough the device notifier, it's interpreted as a shell command, leaving a possibility of arbitrary commands execution. an example of offending volume label is "$(touch b)" which will create a file called b in the home folder. Workaround ========== Mount removable devices with Dolphin instead of the device notifier. Solution ======== Update to Plasma >= 5.12.0 or Plasma >= 5.8.9 Or apply the following patches: Plasma 5.8: - https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212 + https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212 Plasma 5.9/5.10/5.11: - https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57 + https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57 Credits ======= Thanks to ksieluzyckih for the report and to Marco Martin for the fix. - - Patches for this bug should also contain fixes for CVE-2018-6790: - - KDE Project Security Advisory - ============================= - - Title: Plasma: Notifications can expose user IP address - Risk Rating: Low - CVE: CVE-2018-6790 - Versions: Plasma < 5.12.0 - Date: 8 February 2018 - - - Overview - ======== - Plasma has support for the Desktop Nofications specification. That specification allows - embedding images in notifications. Plasma was not sanitizing the HTML that forms the notification. - That allowed for notifications to load a remote image leaking the user IP address. This is in turn - made a bit worse by the fact that some chat software doesn't sanitize the text they send to the - notification system either meaning that a third party could send a carefully crafted message - to a chat room and get the IP addresses of the users in that chat room. - - Workaround - ========== - Disable notifications - - Solution - ======== - Update to Plasma >= 5.12.0 or Plasma >= 5.8.9 - - Or apply the following patches: - Plasma 5.8: https://cgit.kde.org/plasma-workspace.git/commit/?h=Plasma/5.8&id=5bc696b5abcdb460c1017592e80b2d7f6ed3107c - - Credits - ======= - Thanks to David Edmundson for the fix. ** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-6790 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1748247 Title: [CVE] Arbitrary command execution in the removable device notifier To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/plasma-workspace/+bug/1748247/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
