An issue was discovered in soliduiserver/deviceserviceaction.cpp in KDE Plasma Workspace before 5.12.0. When a vfat thumbdrive that contains `` or $() in its volume label is plugged in and mounted through the device notifier, it's interpreted as a shell command, leading to a possibility of arbitrary command execution. An example of an offending volume label is "$(touch b)" -- this will create a file called b in the home folder. External References: https://www.kde.org/info/security/advisory-20180208-2.txt
Created plasma-workspace tracking bugs for this issue: Affects: fedora-all [bug 1543471]
Upstream commits: Plasma 5.8: https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212 Plasma 5.9/5.10/5.11: https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57
Statement: This issue did not affect the versions of kdebase-runtime as shipped with Red Hat Enterprise Linux 6. This issue did not affect the versions of kde-runtime as shipped with Red Hat Enterprise Linux 7.