group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1748247] Re: [CVE] Arbitrary command execution in the removable device notifier

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1748247@xxxxxxxxxxxxxxxxxx>
Date: Wed, 21 Mar 2018 20:07:47 -0000
Reply-to: Bug 1748247 <1748247@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package plasma-workspace - 4:5.10.5-0ubuntu1.1

---------------
plasma-workspace (4:5.10.5-0ubuntu1.1) artful-security; urgency=high

  * SECURITY UPDATE: Arbitrary command execution in the removable device
    notifier (LP: #1748247):
    - fix-CVE-2018-6791.patch
    - CVE-2018-6791

 -- Simon Quigley <tsimonq2@xxxxxxxxxx>  Fri, 16 Mar 2018 23:02:49 -0500

** Changed in: plasma-workspace (Ubuntu Artful)
       Status: In Progress => Fix Released

** Changed in: plasma-workspace (Ubuntu Xenial)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1748247

Title:
  [CVE] Arbitrary command execution in the removable device notifier

Status in Kubuntu PPA:
  Fix Released
Status in Kubuntu PPA artful series:
  Fix Released
Status in Kubuntu PPA xenial series:
  Fix Released
Status in plasma-workspace package in Ubuntu:
  Fix Released
Status in plasma-workspace source package in Xenial:
  Fix Released
Status in plasma-workspace source package in Artful:
  Fix Released
Status in plasma-workspace source package in Bionic:
  Fix Released

Bug description:
  KDE Project Security Advisory
  =============================

  Title:          Plasma Desktop: Arbitrary command execution in the removable device notifier
  Risk Rating:    High
  CVE:            CVE-2018-6791
  Versions:       Plasma < 5.12.0
  Date:           8 February 2018

  Overview
  ========
  When a vfat thumbdrive which contains `` or $() in its volume label is plugged
  and mounted trough the device notifier, it's interpreted as a shell command,
  leaving a possibility of arbitrary commands execution. an example of offending
  volume label is "$(touch b)" which will create a file called b in the
  home folder.

  Workaround
  ==========
  Mount removable devices with Dolphin instead of the device notifier.

  Solution
  ========
  Update to Plasma >= 5.12.0 or Plasma >= 5.8.9

  Or apply the following patches:
  Plasma 5.8:
      https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212
  Plasma 5.9/5.10/5.11:
      https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57

  Credits
  =======
  Thanks to ksieluzyckih for the report and to Marco Martin for the fix.

To manage notifications about this bug go to:
https://bugs.launchpad.net/kubuntu-ppa/+bug/1748247/+subscriptions

References

[Bug 1748247] [NEW] [CVE] Arbitrary command execution in the removable device notifier
From: Simon Quigley, 2018-02-08