Thank you for using Ubuntu and taking the time to report a bug. Your report should contain, at a minimum, the following information so we can better find the source of the bug and work to resolve it.
Submitting the bug about the proper source package is essential. For help see https://wiki.ubuntu.com/Bugs/FindRightPackage . Additionally, in the report please include: 1) The release of Ubuntu you are using, via 'cat /etc/lsb-release' or System -> About Ubuntu. 2) The version of the package you are using, via 'dpkg -l PKGNAME | cat' or by checking in Synaptic. 3) What happened and what you expected to happen. The Ubuntu community has also created debugging procedures for a wide variety of packages at https://wiki.ubuntu.com/DebuggingProcedures . Following the debugging instructions for the affected package will make your bug report much more complete. Thanks! ** Information type changed from Private Security to Public ** Changed in: zenity (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to zenity in Ubuntu. https://bugs.launchpad.net/bugs/1336705 Title: Creating .desktop file with zenity makes it executable without permission Status in “zenity” package in Ubuntu: Invalid Bug description: Description: Ubuntu 14.04 LTS Release: 14.04 Ubuntu Software Center: 13.10 Short description: I created a script using zenity to create shortcut files of the type .desktop files. However, when the script runs the last step of making the .desktop file executable, the executable shortcut is created even without entering the password and it remains executable even after reboot. All the more, the listing the file with the terminal maintains that the .desktop file is not executable. Reproducing the security loophole: [I'm taking the example of creating a clickable shortcut of latest Tor-bundle which I have extracted at ~/Software] Step 1. Run the script via the terminal (attached herewith). Step 2. Following parameters are specified when asked by zenity: a. Application path: ~/Software/tor-browser_en-US/start-tor-browser b. Application name: Tor c. Comment: Browse Internet anonymously d. Icon: ~/Software/tor-browser_en-US/Browser/browser/chrome/icons/default/default48.png e. Category: Network Step 3. The script will move the .desktop file (start-tor- browser.desktop in this case) to ~/.local/share/applications. The terminal will ask for user's password for changing permissions of the file. DO NOT SPECIFY PASSWORD but press ctrl-C. Search unity dash for tor and a created shortcut is displayed which is executable when clicked. Step 4. Open terminal and change directory to ~/.local/share/applications. Typing 'ls -l' will show that start-tor- browser.desktop thus created is still not executable and cannot be launched by the terminal while the shortcut in the dash is executable and can be launched by clicking it. Step 5. Reboot the computer and relogin. The shortcut still appears in the dash and is executable. I believe this is a security issue which needs to be fixed. PS - I do not belong to any computer related profession and follow computer science as a hobby. Any novice mistakes may please be overlooked. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: zenity 3.8.0-1ubuntu1 ProcVersionSignature: Ubuntu 3.13.0-30.54-generic 3.13.11.2 Uname: Linux 3.13.0-30-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.2 Architecture: amd64 CurrentDesktop: Unity Date: Wed Jul 2 14:12:53 2014 ExecutablePath: /usr/bin/zenity InstallationDate: Installed on 2014-04-21 (71 days ago) InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417) SourcePackage: zenity UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/zenity/+bug/1336705/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
