# Woops, messed up with the retitles. # nautilus retitle 408556 SECURITY: Specially crafted .desktop files can disguise as harmless files # gnome-vfs2 retitle 408948 SECURITY: Incorrect MIME type detection can trick users into running arbitrary commands stop
On Mon, Jan 29, 2007, Loïc Minier wrote: > clone 408556 -1 > reassign 408556 nautilus > retitle -1 SECURITY: Specially crafted .desktop files can disguise as > harmless files > stop > > Hi, > > Since it wasn't clear for everybody reading this bug: Debian #408556 is > about the fact that files with unknown extensions (e.g. ".jpg ", mind > the final space), but executable contents (such a .desktop file), can > trick users into running arbitrary command. > > This is a security problem because you can trick users into saving a > file named e.g. "apple.jpg " and opening it because they might think > opening .jpg files is safe, but gnome-vfs/shared-mime-info will report > the MIME type as being ".desktop file" and nautilus will run the > specified command instead of opening the .jpg viewer. > > The proposed solution for this bug is to check whether the file uses > the correct extension for its MIME type as is done in Xfce's VFS lib > (see attached .c snippet). > > > I'm cloning this bug and reassigning against nautilus because the > current way in which .desktop files are painted in nautilus is a > security issue in itself: people can host dangerous files on smb:// > shares and trick users into opening them because nautilus will display > the .desktop file using its embedded "Name" and "Icon"; so you can > display the .desktop file as if it were a picture or sound file with > the name of a picture or sound file, and people will be tricked into > opening it with no useful way to distinguish. > > The proposed solution for this bug is to filter for which URLs nautilus > is allowed to nicely display .desktop files. http:// and smb:// could > be disabled by default and file:// and computer:// could be enabled, > but some special URLs need to be explicitely authorized as nautilus > relies on .desktop files support in e.g. smb://$workgroup/ to list > computer names. > > Bye, > -- > Loïc Minier <[EMAIL PROTECTED]> > > -- Loïc Minier <[EMAIL PROTECTED]>