[Bug 1748247] Re: [CVE] Arbitrary command execution in the removable device notifier
Simon Quigley
tsimonq2 at ubuntu.com
Sat Mar 17 03:48:07 UTC 2018
I remember having a discussion with the security team and forgot to
update this bug...
CVE-2018-6790 isn't worth patching because it's a low priority CVE with
an intrusive patch. So I consider that Won't Fix.
** Description changed:
KDE Project Security Advisory
=============================
Title: Plasma Desktop: Arbitrary command execution in the removable device notifier
Risk Rating: High
CVE: CVE-2018-6791
Versions: Plasma < 5.12.0
Date: 8 February 2018
-
Overview
========
When a vfat thumbdrive which contains `` or $() in its volume label is plugged
and mounted trough the device notifier, it's interpreted as a shell command,
leaving a possibility of arbitrary commands execution. an example of offending
volume label is "$(touch b)" which will create a file called b in the
home folder.
Workaround
==========
Mount removable devices with Dolphin instead of the device notifier.
Solution
========
Update to Plasma >= 5.12.0 or Plasma >= 5.8.9
Or apply the following patches:
Plasma 5.8:
- https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212
+ https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212
Plasma 5.9/5.10/5.11:
- https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57
+ https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57
Credits
=======
Thanks to ksieluzyckih for the report and to Marco Martin for the fix.
-
- Patches for this bug should also contain fixes for CVE-2018-6790:
-
- KDE Project Security Advisory
- =============================
-
- Title: Plasma: Notifications can expose user IP address
- Risk Rating: Low
- CVE: CVE-2018-6790
- Versions: Plasma < 5.12.0
- Date: 8 February 2018
-
-
- Overview
- ========
- Plasma has support for the Desktop Nofications specification. That specification allows
- embedding images in notifications. Plasma was not sanitizing the HTML that forms the notification.
- That allowed for notifications to load a remote image leaking the user IP address. This is in turn
- made a bit worse by the fact that some chat software doesn't sanitize the text they send to the
- notification system either meaning that a third party could send a carefully crafted message
- to a chat room and get the IP addresses of the users in that chat room.
-
- Workaround
- ==========
- Disable notifications
-
- Solution
- ========
- Update to Plasma >= 5.12.0 or Plasma >= 5.8.9
-
- Or apply the following patches:
- Plasma 5.8: https://cgit.kde.org/plasma-workspace.git/commit/?h=Plasma/5.8&id=5bc696b5abcdb460c1017592e80b2d7f6ed3107c
-
- Credits
- =======
- Thanks to David Edmundson for the fix.
** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-6790
--
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to plasma-workspace in Ubuntu.
https://bugs.launchpad.net/bugs/1748247
Title:
[CVE] Arbitrary command execution in the removable device notifier
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/plasma-workspace/+bug/1748247/+subscriptions
More information about the kubuntu-bugs
mailing list