CVE-2018-6791

Name of the Vulnerable Software and Affected Versions KDE Plasma Workspace versions prior to 5.12.0

Description An issue was discovered in the device service action of KDE Plasma Workspace. When a vfat thumbdrive with a volume label containing `` or $() is plugged in and mounted, it is interpreted as a shell command. This can lead to arbitrary command execution. For example, a volume label like "$(touch b)" can create a file called b in the home folder.

Recommendations For versions prior to 5.12.0, update to version 5.12.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the device notifier to mount vfat thumbdrives with potentially malicious volume labels until a patch is applied. Restrict access to the device notifier to minimize the risk of exploitation.