KDE Plasma Workspaces: Multiple vulnerabilities — GLSA 201803-09

Multiple vulnerabilities have been found in KDE Plasma Workspaces, the worst of which allows local attackers to execute arbitrary commands.

Affected Packages

kde-plasma/plasma-workspace on all architectures
Affected versions < 5.11.5-r1
Unaffected versions >= 5.11.5-r1

Background

KDE Plasma workspace is a widget based desktop environment designed to be fast and efficient.

Description

Multiple vulnerabilities have been discovered in KDE Plasma Workspaces. Please review the referenced CVE identifiers for details.

Impact

An attacker could execute arbitrary commands via specially crafted thumb drive’s volume labels or obtain sensitive information via specially crafted notifications.

Workaround

Users should mount removable devices with Dolphin instead of the device notifier.

Users should disable notifications.

Resolution

All KDE Plasma Workspace users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
 ">=kde-plasma/plasma-workspace-5.11.5-r1"
 

References

Release Date
March 19, 2018

Latest Revision
March 19, 2018: 1

Severity
normal

Exploitable
local, remote

Bugzilla entries