KDE Project Security Advisory
=============================

Title:          Plasma Desktop: Arbitrary command execution in the removable device notifier
Risk Rating:    High
CVE:            CVE-2018-6791
Versions:       Plasma < 5.12.0
Date:           8 February 2018


Overview
========
When a vfat thumbdrive which contains `` or $() in its volume label is plugged
and mounted trough the device notifier, it's interpreted as a shell command,
leaving a possibility of arbitrary commands execution. an example of offending
volume label is "$(touch b)" which will create a file called b in the
home folder.

Workaround
==========
Mount removable devices with Dolphin instead of the device notifier.

Solution
========
Update to Plasma >= 5.12.0 or Plasma >= 5.8.9

Or apply the following patches:
Plasma 5.8:
    https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212
Plasma 5.9/5.10/5.11:
    https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57

Credits
=======
Thanks to ksieluzyckih for the report and to Marco Martin for the fix.