Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 647106 (CVE-2018-6790, CVE-2018-6791) - <kde-plasma/plasma-workspace-5.11.5-r1: multiple vulnerabilities (CVE-2018-{6790,6791})
Summary: <kde-plasma/plasma-workspace-5.11.5-r1: multiple vulnerabilities (CVE-2018-{6...
Status: RESOLVED FIXED
Alias: CVE-2018-6790, CVE-2018-6791
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+ cve]
Keywords: STABLEREQ
Depends on:
Blocks:
 
Reported: 2018-02-09 11:13 UTC by Michael Palimaka (kensington)
Modified: 2018-03-19 01:17 UTC (History)
0 users

See Also:
Package list:
kde-plasma/plasma-workspace-5.11.5-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Palimaka (kensington) gentoo-dev 2018-02-09 11:13:52 UTC
KDE Project Security Advisory
=============================

Title:          Plasma Desktop: Arbitrary command execution in the removable device notifier
Risk Rating:    High
CVE:            CVE-2018-6791
Versions:       Plasma < 5.12.0
Date:           8 February 2018


Overview
========
When a vfat thumbdrive which contains `` or $() in its volume label is plugged
and mounted trough the device notifier, it's interpreted as a shell command,
leaving a possibility of arbitrary commands execution. an example of offending
volume label is "$(touch b)" which will create a file called b in the
home folder.

Workaround
==========
Mount removable devices with Dolphin instead of the device notifier.

Solution
========
Update to Plasma >= 5.12.0 or Plasma >= 5.8.9

Or apply the following patches:
Plasma 5.8:
    https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212
Plasma 5.9/5.10/5.11:
    https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57

Credits
=======
Thanks to ksieluzyckih for the report and to Marco Martin for the fix.


KDE Project Security Advisory
=============================

Title:          Plasma: Notifications can expose user IP address
Risk Rating:    Low
CVE:            CVE-2018-6790
Versions:       Plasma < 5.12.0
Date:           8 February 2018


Overview
========
Plasma has support for the Desktop Nofications specification. That specification allows
embedding images in notifications. Plasma was not sanitizing the HTML that forms the notification.
That allowed for notifications to load a remote image leaking the user IP address. This is in turn
made a bit worse by the fact that some chat software doesn't sanitize the text they send to the
notification system either meaning that a third party could send a carefully crafted message
to a chat room and get the IP addresses of the users in that chat room.

Workaround
==========
Disable notifications

Solution
========
Update to Plasma >= 5.12.0 or Plasma >= 5.8.9

Or apply the following patches:
Plasma 5.8: https://cgit.kde.org/plasma-workspace.git/commit/?h=Plasma/5.8&id=5bc696b5abcdb460c1017592e80b2d7f6ed3107c

Credits
=======
Thanks to David Edmundson for the fix.
Comment 1 Larry the Git Cow gentoo-dev 2018-02-09 13:57:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c006f861f27d664944c9cbbd8653aa5a5fdc1a75

commit c006f861f27d664944c9cbbd8653aa5a5fdc1a75
Author:     Michael Palimaka <kensington@gentoo.org>
AuthorDate: 2018-02-09 13:55:21 +0000
Commit:     Michael Palimaka <kensington@gentoo.org>
CommitDate: 2018-02-09 13:57:32 +0000

    kde-plasma/plasma-workspace: revision bump fixes CVE-2018-6790 and CVE-2018-6791
    
    Bug: https://bugs.gentoo.org/647106
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 .../plasma-workspace-5.11.5-CVE-2018-6790.patch    | 409 +++++++++++++++++++++
 .../plasma-workspace-5.11.5-CVE-2018-6791.patch    |  31 ++
 .../plasma-workspace-5.11.5-r1.ebuild              | 175 +++++++++
 3 files changed, 615 insertions(+)}
Comment 2 Andreas Sturmlechner gentoo-dev 2018-02-12 15:56:07 UTC
Arches, please stabilise.
Comment 3 Thomas Deutschmann gentoo-dev Security 2018-02-12 21:37:59 UTC
x86 stable
Comment 4 Larry the Git Cow gentoo-dev 2018-02-13 11:02:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f107055eeea60b00fa60a095ebbe24fc572e2783

commit f107055eeea60b00fa60a095ebbe24fc572e2783
Author:     Michael Palimaka <kensington@gentoo.org>
AuthorDate: 2018-02-13 11:00:48 +0000
Commit:     Michael Palimaka <kensington@gentoo.org>
CommitDate: 2018-02-13 11:02:00 +0000

    kde-plasma/plasma-workspace: stabilise 5.11.5-r1 for amd64
    
    Bug: https://bugs.gentoo.org/647106
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 kde-plasma/plasma-workspace/plasma-workspace-5.11.5-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}
Comment 5 Michael Palimaka (kensington) gentoo-dev 2018-02-13 11:02:42 UTC
Cleanup done.
Comment 6 Andreas Sturmlechner gentoo-dev 2018-02-18 13:52:18 UTC
kde out.
Comment 7 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-02-18 16:19:46 UTC
New GLSA Request filed.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2018-03-19 01:17:06 UTC
This issue was resolved and addressed in
 GLSA 201803-09 at https://security.gentoo.org/glsa/201803-09
by GLSA coordinator Christopher Diaz Riveros (chrisadr).