[CVE] Arbitrary command execution in the removable device notifier

Bug #1748247 reported by Simon Quigley
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Kubuntu PPA
Fix Released
High
Simon Quigley
Artful
Fix Released
High
Simon Quigley
Xenial
Fix Released
High
Simon Quigley
plasma-workspace (Ubuntu)
Fix Released
High
Rik Mills
Xenial
Fix Released
High
Simon Quigley
Artful
Fix Released
High
Simon Quigley
Bionic
Fix Released
High
Rik Mills

Bug Description

KDE Project Security Advisory
=============================

Title: Plasma Desktop: Arbitrary command execution in the removable device notifier
Risk Rating: High
CVE: CVE-2018-6791
Versions: Plasma < 5.12.0
Date: 8 February 2018

Overview
========
When a vfat thumbdrive which contains `` or $() in its volume label is plugged
and mounted trough the device notifier, it's interpreted as a shell command,
leaving a possibility of arbitrary commands execution. an example of offending
volume label is "$(touch b)" which will create a file called b in the
home folder.

Workaround
==========
Mount removable devices with Dolphin instead of the device notifier.

Solution
========
Update to Plasma >= 5.12.0 or Plasma >= 5.8.9

Or apply the following patches:
Plasma 5.8:
    https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212
Plasma 5.9/5.10/5.11:
    https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57

Credits
=======
Thanks to ksieluzyckih for the report and to Marco Martin for the fix.

CVE References

Revision history for this message
Simon Quigley (tsimonq2) wrote :

I'm assigning the Bionic fixes to Rik; I'm unsure if plasma-workspace is still affected, but it seems kde-runtime is in fact affected.

Changed in plasma-workspace (Ubuntu Bionic):
assignee: nobody → Rik Mills (rikmills)
importance: Undecided → High
Changed in plasma-workspace (Ubuntu Artful):
assignee: nobody → Simon Quigley (tsimonq2)
importance: Undecided → High
status: New → In Progress
Changed in plasma-workspace (Ubuntu Xenial):
assignee: nobody → Simon Quigley (tsimonq2)
importance: Undecided → High
status: New → In Progress
Changed in plasma-workspace (Ubuntu Trusty):
assignee: nobody → Simon Quigley (tsimonq2)
importance: Undecided → High
status: New → In Progress
Changed in kde-runtime (Ubuntu Bionic):
assignee: nobody → Rik Mills (rikmills)
importance: Undecided → High
Changed in kde-runtime (Ubuntu Artful):
assignee: nobody → Simon Quigley (tsimonq2)
importance: Undecided → High
status: New → In Progress
Changed in kde-runtime (Ubuntu Xenial):
assignee: nobody → Simon Quigley (tsimonq2)
importance: Undecided → High
status: New → In Progress
Changed in kde-runtime (Ubuntu Trusty):
importance: Undecided → High
status: New → In Progress
assignee: nobody → Simon Quigley (tsimonq2)
Revision history for this message
Simon Quigley (tsimonq2) wrote :

CVE-2018-6790
CVE-2018-6791

Rik Mills (rikmills)
Changed in plasma-workspace (Ubuntu Bionic):
status: New → Fix Released
Revision history for this message
Rik Mills (rikmills) wrote :

No information in the referenced CVE to say how or if it affects kde-runtime.

Changed in kde-runtime (Ubuntu Bionic):
status: New → Incomplete
Revision history for this message
Simon Quigley (tsimonq2) wrote :

Debian says kde-runtime isn't affected, and I can confirm.

Changed in kde-runtime (Ubuntu Trusty):
status: In Progress → Invalid
Changed in kde-runtime (Ubuntu Xenial):
status: In Progress → Invalid
no longer affects: kde-runtime (Ubuntu)
no longer affects: kde-runtime (Ubuntu Trusty)
no longer affects: kde-runtime (Ubuntu Xenial)
no longer affects: kde-runtime (Ubuntu Artful)
no longer affects: kde-runtime (Ubuntu Bionic)
Revision history for this message
Simon Quigley (tsimonq2) wrote :

There isn't even a plasma-workspace on Trusty...

no longer affects: plasma-workspace (Ubuntu Trusty)
Revision history for this message
Simon Quigley (tsimonq2) wrote :

I remember having a discussion with the security team and forgot to update this bug...

CVE-2018-6790 isn't worth patching because it's a low priority CVE with an intrusive patch. So I consider that Won't Fix.

description: updated
Revision history for this message
Simon Quigley (tsimonq2) wrote :

These fixes should be looked into for Backports too.

Revision history for this message
Simon Quigley (tsimonq2) wrote :

So it looks like Backports already has the fixes.

Revision history for this message
Simon Quigley (tsimonq2) wrote :

I have uploaded these fixes (for Artful and Xenial) to a fresh, empty test PPA of mine with all architectures enabled and only the security repo enabled. I then tested both in VMs of each release, and they work as intended. It also fixes the security issue.

Security Team, feel free to copy my packages to your PPA:
https://launchpad.net/~tsimonq2/+archive/ubuntu/security-test-builds/+sourcepub/8860818/+listing-archive-extra
https://launchpad.net/~tsimonq2/+archive/ubuntu/security-test-builds/+sourcepub/8860822/+listing-archive-extra

The diffs for each are on that page if you would like to do it manually.

Please sponsor each to go into Ubuntu.

Thanks.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package plasma-workspace - 4:5.10.5-0ubuntu1.1

---------------
plasma-workspace (4:5.10.5-0ubuntu1.1) artful-security; urgency=high

  * SECURITY UPDATE: Arbitrary command execution in the removable device
    notifier (LP: #1748247):
    - fix-CVE-2018-6791.patch
    - CVE-2018-6791

 -- Simon Quigley <email address hidden> Fri, 16 Mar 2018 23:02:49 -0500

Changed in plasma-workspace (Ubuntu Artful):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package plasma-workspace - 4:5.5.5.2-0ubuntu1.1

---------------
plasma-workspace (4:5.5.5.2-0ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Arbitrary command execution in the removable device
    notifier (LP: #1748247):
    - fix-CVE-2018-6791.patch
    - CVE-2018-6791

 -- Simon Quigley <email address hidden> Fri, 16 Mar 2018 23:24:11 -0500

Changed in plasma-workspace (Ubuntu Xenial):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers