Categories
Links

KDE Bug Executes Arbitrary Code Based on Name of Thumb Drive

This is one of the dumbest and most dangerous bugs I’ve ever heard of. From the KDE security list:

When a vfat thumbdrive which contains “ or $() in its volume label is plugged and mounted trough the device notifier, it’s interpreted as a shell command, leaving a possibility of arbitrary commands execution. an example of offending volume label is “$(touch b)” which will create a file called b in the home folder.

It’s jaw-dropping.