KDE Bug Executes Arbitrary Code Based on Name of Thumb Drive

This is one of the dumbest and most dangerous bugs I’ve ever heard of. From the KDE security list:

When a vfat thumbdrive which contains “ or $() in its volume label is plugged
and mounted trough the device notifier, it’s interpreted as a shell command,
leaving a possibility of arbitrary commands execution. an example of offending
volume label is “$(touch b)” which will create a file called b in the
home folder.

It’s jaw-dropping.