[This][link] is one of the dumbest and most dangerous bugs I’ve ever heard of. From the KDE security list:
[link]: https://www.kde.org/info/security/advisory-20180208-2.txt “KDE Project Security Advisory”
>When a vfat thumbdrive which contains “ or $() in its volume label is plugged
and mounted trough the device notifier, it’s interpreted as a shell command,
leaving a possibility of arbitrary commands execution. an example of offending
volume label is “$(touch b)” which will create a file called b in the
home folder.
It’s jaw-dropping.