An issue exists in soliduiserver/deviceserviceaction.cpp in KDE Plasma Workspace prior to 5.12.0. When a vfat thumbdrive that contains `` or $() in its volume label is plugged in and mounted through the device notifier, it's interpreted as a shell command, leading to a possibility of arbitrary command execution. An example of an offending volume label is "$(touch b)" -- this will create a file called b in the home folder.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
kde plasma-workspace |
||
debian debian linux 9.0 |
Tweak VFAT volume to execute arbitrary code Fresh bit o' Linux to spruce up that ancient Windows Vista box? Why not, we say...
A recently resolved flaw in the KDE Linux desktop environment meant that files held on a USB stick could be executed as soon as they were plugged into a vulnerable device. The security howler created a means to execute arbitrary code on KDE by simply naming a pendrive VFAT volume $() or similar, as explained in this advisory (extract below) put out late last week: The CVE-2018-6791 vulnerability – unsurprisingly designated as high risk – was fixed on Thursday with an update to the Plasma Des...