You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
I love @kdecommunity and all, but this is quite the SNAFU. Oops. https://www.kde.org/info/security/advisory-20180208-2.txt …
Actually I think the advisory is wrong. As far as I can tell this has nothing to do with *mounting* devices. It's about the actions you get ("download photos with DigiKam" etc) - those basically run "/usr/bin/app <mountpoint>" and *that* is where they forgot to escape.
This makes more sense because mounting should be handled via DBus/UDisks and there's no reason for the shell to get involved.
You know, this is the kind of thing the "systemd style thinking" of dbus all the things helps prevent. The traditional UNIX approach of using shell to glue all the pieces together has always been a security minefield. Just don't put it into PID 1.
But also part of the reason why systemd gets ridiculed is that they have a history of not taking security issues seriously. Nobody had to forcibly get a CVE assigned for this because KDE wouldn't do it.
Most desktop environments let you mount devices from a pop-up when they are connected.
/dev/sdb is the device; it has to be mounted to a directory to work. The kernel never automounts, there are userspace mechanisms (UDisks2) to do that (usually mounting under /run/media/<username>/<volumelabel> these days) and KDE interacts with those on user request.pic.twitter.com/MSH0Y5t9Hf
TBF, I don't think they even have a *good* reason to be using the shell here. It seems to be passing an argument to applications at launch. That can and should be done directly as argv without shell parsing getting involved.
Might just be the freedesktop spec for desktop files requires it or something (if that's the case, it should be fixed).
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
