| 2018-02-08 17:42:59 |
Simon Quigley |
bug |
|
|
added bug |
| 2018-02-08 17:43:08 |
Simon Quigley |
nominated for series |
|
Ubuntu Xenial |
|
| 2018-02-08 17:43:08 |
Simon Quigley |
bug task added |
|
plasma-workspace (Ubuntu Xenial) |
|
| 2018-02-08 17:43:08 |
Simon Quigley |
nominated for series |
|
Ubuntu Trusty |
|
| 2018-02-08 17:43:08 |
Simon Quigley |
bug task added |
|
plasma-workspace (Ubuntu Trusty) |
|
| 2018-02-08 17:43:08 |
Simon Quigley |
nominated for series |
|
Ubuntu Bionic |
|
| 2018-02-08 17:43:08 |
Simon Quigley |
bug task added |
|
plasma-workspace (Ubuntu Bionic) |
|
| 2018-02-08 17:43:08 |
Simon Quigley |
nominated for series |
|
Ubuntu Artful |
|
| 2018-02-08 17:43:08 |
Simon Quigley |
bug task added |
|
plasma-workspace (Ubuntu Artful) |
|
| 2018-02-08 17:44:19 |
Simon Quigley |
bug task added |
|
kde-runtime (Ubuntu) |
|
| 2018-02-08 17:45:55 |
Simon Quigley |
plasma-workspace (Ubuntu Bionic): importance |
Undecided |
High |
|
| 2018-02-08 17:45:55 |
Simon Quigley |
plasma-workspace (Ubuntu Bionic): assignee |
|
Rik Mills (rikmills) |
|
| 2018-02-08 17:46:12 |
Simon Quigley |
plasma-workspace (Ubuntu Artful): importance |
Undecided |
High |
|
| 2018-02-08 17:46:12 |
Simon Quigley |
plasma-workspace (Ubuntu Artful): status |
New |
In Progress |
|
| 2018-02-08 17:46:12 |
Simon Quigley |
plasma-workspace (Ubuntu Artful): assignee |
|
Simon Quigley (tsimonq2) |
|
| 2018-02-08 17:46:26 |
Simon Quigley |
plasma-workspace (Ubuntu Xenial): importance |
Undecided |
High |
|
| 2018-02-08 17:46:26 |
Simon Quigley |
plasma-workspace (Ubuntu Xenial): status |
New |
In Progress |
|
| 2018-02-08 17:46:26 |
Simon Quigley |
plasma-workspace (Ubuntu Xenial): assignee |
|
Simon Quigley (tsimonq2) |
|
| 2018-02-08 17:47:14 |
Simon Quigley |
plasma-workspace (Ubuntu Trusty): importance |
Undecided |
High |
|
| 2018-02-08 17:47:14 |
Simon Quigley |
plasma-workspace (Ubuntu Trusty): status |
New |
In Progress |
|
| 2018-02-08 17:47:14 |
Simon Quigley |
plasma-workspace (Ubuntu Trusty): assignee |
|
Simon Quigley (tsimonq2) |
|
| 2018-02-08 17:47:29 |
Simon Quigley |
kde-runtime (Ubuntu Bionic): assignee |
|
Rik Mills (rikmills) |
|
| 2018-02-08 17:47:39 |
Simon Quigley |
kde-runtime (Ubuntu Bionic): importance |
Undecided |
High |
|
| 2018-02-08 17:47:51 |
Simon Quigley |
kde-runtime (Ubuntu Artful): importance |
Undecided |
High |
|
| 2018-02-08 17:47:51 |
Simon Quigley |
kde-runtime (Ubuntu Artful): status |
New |
In Progress |
|
| 2018-02-08 17:47:51 |
Simon Quigley |
kde-runtime (Ubuntu Artful): assignee |
|
Simon Quigley (tsimonq2) |
|
| 2018-02-08 17:48:05 |
Simon Quigley |
kde-runtime (Ubuntu Xenial): importance |
Undecided |
High |
|
| 2018-02-08 17:48:05 |
Simon Quigley |
kde-runtime (Ubuntu Xenial): status |
New |
In Progress |
|
| 2018-02-08 17:48:05 |
Simon Quigley |
kde-runtime (Ubuntu Xenial): assignee |
|
Simon Quigley (tsimonq2) |
|
| 2018-02-08 17:48:28 |
Simon Quigley |
kde-runtime (Ubuntu Trusty): importance |
Undecided |
High |
|
| 2018-02-08 17:48:28 |
Simon Quigley |
kde-runtime (Ubuntu Trusty): status |
New |
In Progress |
|
| 2018-02-08 17:48:38 |
Simon Quigley |
kde-runtime (Ubuntu Trusty): assignee |
|
Simon Quigley (tsimonq2) |
|
| 2018-02-08 17:49:06 |
Simon Quigley |
cve linked |
|
2018-6790 |
|
| 2018-02-08 17:49:06 |
Simon Quigley |
cve linked |
|
2018-6791 |
|
| 2018-02-08 17:53:02 |
Simon Quigley |
bug |
|
|
added subscriber Kubuntu Release |
| 2018-02-08 17:54:42 |
Rik Mills |
plasma-workspace (Ubuntu Bionic): status |
New |
Fix Released |
|
| 2018-02-08 18:07:30 |
Rik Mills |
kde-runtime (Ubuntu Bionic): status |
New |
Incomplete |
|
| 2018-02-21 03:15:53 |
Simon Quigley |
kde-runtime (Ubuntu Trusty): status |
In Progress |
Invalid |
|
| 2018-02-21 03:16:01 |
Simon Quigley |
kde-runtime (Ubuntu Xenial): status |
In Progress |
Invalid |
|
| 2018-02-21 03:16:08 |
Simon Quigley |
bug task deleted |
kde-runtime (Ubuntu) |
|
|
| 2018-02-21 03:16:23 |
Simon Quigley |
bug task deleted |
kde-runtime (Ubuntu Trusty) |
|
|
| 2018-02-21 03:16:25 |
Simon Quigley |
bug task deleted |
kde-runtime (Ubuntu Xenial) |
|
|
| 2018-02-21 03:16:30 |
Simon Quigley |
bug task deleted |
kde-runtime (Ubuntu Artful) |
|
|
| 2018-02-21 03:16:35 |
Simon Quigley |
bug task deleted |
kde-runtime (Ubuntu Bionic) |
|
|
| 2018-03-17 03:46:06 |
Simon Quigley |
bug task deleted |
plasma-workspace (Ubuntu Trusty) |
|
|
| 2018-03-17 03:48:27 |
Simon Quigley |
description |
KDE Project Security Advisory
=============================
Title: Plasma Desktop: Arbitrary command execution in the removable device notifier
Risk Rating: High
CVE: CVE-2018-6791
Versions: Plasma < 5.12.0
Date: 8 February 2018
Overview
========
When a vfat thumbdrive which contains `` or $() in its volume label is plugged
and mounted trough the device notifier, it's interpreted as a shell command,
leaving a possibility of arbitrary commands execution. an example of offending
volume label is "$(touch b)" which will create a file called b in the
home folder.
Workaround
==========
Mount removable devices with Dolphin instead of the device notifier.
Solution
========
Update to Plasma >= 5.12.0 or Plasma >= 5.8.9
Or apply the following patches:
Plasma 5.8:
https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212
Plasma 5.9/5.10/5.11:
https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57
Credits
=======
Thanks to ksieluzyckih for the report and to Marco Martin for the fix.
Patches for this bug should also contain fixes for CVE-2018-6790:
KDE Project Security Advisory
=============================
Title: Plasma: Notifications can expose user IP address
Risk Rating: Low
CVE: CVE-2018-6790
Versions: Plasma < 5.12.0
Date: 8 February 2018
Overview
========
Plasma has support for the Desktop Nofications specification. That specification allows
embedding images in notifications. Plasma was not sanitizing the HTML that forms the notification.
That allowed for notifications to load a remote image leaking the user IP address. This is in turn
made a bit worse by the fact that some chat software doesn't sanitize the text they send to the
notification system either meaning that a third party could send a carefully crafted message
to a chat room and get the IP addresses of the users in that chat room.
Workaround
==========
Disable notifications
Solution
========
Update to Plasma >= 5.12.0 or Plasma >= 5.8.9
Or apply the following patches:
Plasma 5.8: https://cgit.kde.org/plasma-workspace.git/commit/?h=Plasma/5.8&id=5bc696b5abcdb460c1017592e80b2d7f6ed3107c
Credits
=======
Thanks to David Edmundson for the fix. |
KDE Project Security Advisory
=============================
Title: Plasma Desktop: Arbitrary command execution in the removable device notifier
Risk Rating: High
CVE: CVE-2018-6791
Versions: Plasma < 5.12.0
Date: 8 February 2018
Overview
========
When a vfat thumbdrive which contains `` or $() in its volume label is plugged
and mounted trough the device notifier, it's interpreted as a shell command,
leaving a possibility of arbitrary commands execution. an example of offending
volume label is "$(touch b)" which will create a file called b in the
home folder.
Workaround
==========
Mount removable devices with Dolphin instead of the device notifier.
Solution
========
Update to Plasma >= 5.12.0 or Plasma >= 5.8.9
Or apply the following patches:
Plasma 5.8:
https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212
Plasma 5.9/5.10/5.11:
https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57
Credits
=======
Thanks to ksieluzyckih for the report and to Marco Martin for the fix. |
|
| 2018-03-17 03:48:40 |
Simon Quigley |
cve unlinked |
2018-6790 |
|
|
| 2018-03-17 03:55:52 |
Simon Quigley |
bug task added |
|
kubuntu-ppa |
|
| 2018-03-17 03:56:00 |
Simon Quigley |
nominated for series |
|
kubuntu-ppa/artful |
|
| 2018-03-17 03:56:00 |
Simon Quigley |
bug task added |
|
kubuntu-ppa/artful |
|
| 2018-03-17 03:56:00 |
Simon Quigley |
nominated for series |
|
kubuntu-ppa/xenial |
|
| 2018-03-17 03:56:00 |
Simon Quigley |
bug task added |
|
kubuntu-ppa/xenial |
|
| 2018-03-17 03:56:05 |
Simon Quigley |
kubuntu-ppa/artful: importance |
Undecided |
High |
|
| 2018-03-17 03:56:06 |
Simon Quigley |
kubuntu-ppa/xenial: importance |
Undecided |
High |
|
| 2018-03-17 03:56:10 |
Simon Quigley |
kubuntu-ppa/artful: assignee |
|
Simon Quigley (tsimonq2) |
|
| 2018-03-17 03:56:11 |
Simon Quigley |
kubuntu-ppa/xenial: assignee |
|
Simon Quigley (tsimonq2) |
|
| 2018-03-17 04:31:18 |
Simon Quigley |
kubuntu-ppa/artful: status |
New |
Fix Released |
|
| 2018-03-17 04:31:20 |
Simon Quigley |
kubuntu-ppa/xenial: status |
New |
Fix Released |
|
| 2018-03-17 04:38:48 |
Simon Quigley |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
| 2018-03-21 20:07:47 |
Launchpad Janitor |
plasma-workspace (Ubuntu Artful): status |
In Progress |
Fix Released |
|
| 2018-03-21 20:07:52 |
Launchpad Janitor |
plasma-workspace (Ubuntu Xenial): status |
In Progress |
Fix Released |
|
