KDE Project Security Advisory ============================= Title: Plasma Desktop: Arbitrary command execution in the removable device notifier Risk Rating: High CVE: CVE-2018-6791 Versions: Plasma < 5.12.0 Date: 8 February 2018 Overview ======== When a vfat thumbdrive which contains `` or $() in its volume label is plugged and mounted trough the device notifier, it's interpreted as a shell command, leaving a possibility of arbitrary commands execution. an example of offending volume label is "$(touch b)" which will create a file called b in the home folder. Workaround ========== Mount removable devices with Dolphin instead of the device notifier. Solution ======== Update to Plasma >= 5.12.0 or Plasma >= 5.8.9 Or apply the following patches: Plasma 5.8: https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212 Plasma 5.9/5.10/5.11: https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57 Credits ======= Thanks to ksieluzyckih for the report and to Marco Martin for the fix. KDE Project Security Advisory ============================= Title: Plasma: Notifications can expose user IP address Risk Rating: Low CVE: CVE-2018-6790 Versions: Plasma < 5.12.0 Date: 8 February 2018 Overview ======== Plasma has support for the Desktop Nofications specification. That specification allows embedding images in notifications. Plasma was not sanitizing the HTML that forms the notification. That allowed for notifications to load a remote image leaking the user IP address. This is in turn made a bit worse by the fact that some chat software doesn't sanitize the text they send to the notification system either meaning that a third party could send a carefully crafted message to a chat room and get the IP addresses of the users in that chat room. Workaround ========== Disable notifications Solution ======== Update to Plasma >= 5.12.0 or Plasma >= 5.8.9 Or apply the following patches: Plasma 5.8: https://cgit.kde.org/plasma-workspace.git/commit/?h=Plasma/5.8&id=5bc696b5abcdb460c1017592e80b2d7f6ed3107c Credits ======= Thanks to David Edmundson for the fix.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c006f861f27d664944c9cbbd8653aa5a5fdc1a75 commit c006f861f27d664944c9cbbd8653aa5a5fdc1a75 Author: Michael Palimaka <kensington@gentoo.org> AuthorDate: 2018-02-09 13:55:21 +0000 Commit: Michael Palimaka <kensington@gentoo.org> CommitDate: 2018-02-09 13:57:32 +0000 kde-plasma/plasma-workspace: revision bump fixes CVE-2018-6790 and CVE-2018-6791 Bug: https://bugs.gentoo.org/647106 Package-Manager: Portage-2.3.19, Repoman-2.3.6 .../plasma-workspace-5.11.5-CVE-2018-6790.patch | 409 +++++++++++++++++++++ .../plasma-workspace-5.11.5-CVE-2018-6791.patch | 31 ++ .../plasma-workspace-5.11.5-r1.ebuild | 175 +++++++++ 3 files changed, 615 insertions(+)}
Arches, please stabilise.
x86 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f107055eeea60b00fa60a095ebbe24fc572e2783 commit f107055eeea60b00fa60a095ebbe24fc572e2783 Author: Michael Palimaka <kensington@gentoo.org> AuthorDate: 2018-02-13 11:00:48 +0000 Commit: Michael Palimaka <kensington@gentoo.org> CommitDate: 2018-02-13 11:02:00 +0000 kde-plasma/plasma-workspace: stabilise 5.11.5-r1 for amd64 Bug: https://bugs.gentoo.org/647106 Package-Manager: Portage-2.3.19, Repoman-2.3.6 kde-plasma/plasma-workspace/plasma-workspace-5.11.5-r1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
Cleanup done.
kde out.
New GLSA Request filed.
This issue was resolved and addressed in GLSA 201803-09 at https://security.gentoo.org/glsa/201803-09 by GLSA coordinator Christopher Diaz Riveros (chrisadr).