Main Vulnerability Database SB2018020933

SB2018020933 - Arch Linux update for plasma-workspace

Published: February 9, 2018 Updated: February 9, 2018

Security Bulletin ID SB2018020933

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Physical access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) OS Command Injection (CVE-ID: CVE-2018-6791)

The vulnerability allows a local non-authenticated attacker to execute arbitrary code.

An issue was discovered in soliduiserver/deviceserviceaction.cpp in KDE Plasma Workspace before 5.12.0. When a vfat thumbdrive that contains `` or $() in its volume label is plugged in and mounted through the device notifier, it's interpreted as a shell command, leading to a possibility of arbitrary command execution. An example of an offending volume label is "$(touch b)" -- this will create a file called b in the home folder.

Remediation

Install update from vendor's website.

References

https://security.archlinux.org/advisory/ASA-201802-4