KDE Bug Executes Arbitrary Code Based on Name of Thumb Drive

,

This is one of the dumbest and most dangerous bugs I’ve ever heard of. From the KDE security list:

When a vfat thumbdrive which contains “ or $() in its volume label is plugged and mounted trough the device notifier, it’s interpreted as a shell command, leaving a possibility of arbitrary commands execution. an example of offending volume label is “$(touch b)” which will create a file called b in the home folder.

It’s jaw-dropping.

Hello There

My name is Phil Nelson and I make beautiful objects for a troubled world. I'm a designer / developer / writer / director / editor / narrator at Occipital.

Stuff I Make

More To See and Read

Browse the Archives

Hey. What're you doing all the way down here? You get lost? Just looking around? Cool. I like you.