One important security vulnerability fixed in the KDE Plasma 5.12 LTS desktop environment is a USB exploit that could allow a local attacker with physical access to the unpatched computer to execute arbitrary commands if the malicious USB flash drive was mounted via the removable device notifier function and contained certain characters in its volume label.
All KDE Plasma users running a previous version of the desktop environment should update their installations to the latest KDE Plasma 5.12 LTS release as soon as possible. The new version is already available in the software repositories of popular GNU/Linux distributions like Kubuntu/Ubuntu, Arch Linux, OpenSuSE, and others, so there’s nothing holding you back to update it right now.
If you can’t update your KDE Plasma desktop to version 5.12, there’s a workaround for the USB bug, as you’ll have to mount all removable USB devices with the Dolphin file manager instead of using the device notifier. Previous LTS users using Plasma 5.8 can update to KDE Plasma 5.8.9 LTS, which also addresses this security flaw. Other Plasma users can apply the patches in the advisory.
Submitted by: Arnfried Walbrecht