Public bug reported:

Binary package hint: pcmanfm

When you double-click on a file to execute in pcmanfm, this will only
succeed if there are no spaces in its absolute path. Spaces in the
filename or in any directories in the file's full path are not escaped
-- consequently, double-clicking on a file with its executable bit set
results in pcmanfm attempting to execute the file whose path consists of
all the characters in the original file's path before the first space.
(Typically that file, if different from the original, would not exist.)

I have already reproduced this bug with the latest upstream git sources and 
reported it on the upstream tracker:
http://sourceforge.net/tracker/?func=detail&aid=3143296&group_id=156956&atid=801864

This bug is also either similar or idential to a bug previously reported last 
month, which was believed to be fixed in the latest git sources and marked 
out-of-date on the upstream tracker:
http://sourceforge.net/tracker/?func=detail&aid=3101059&group_id=156956&atid=801864

The reason I am filing a report here even though I have no reason to
think the issue is specific to Ubuntu and I have reported it upstream,
is that it seems to me that this bug is significant enough that, once
fixed, the fix ought to be backported to pcmanfm in supported Ubuntu
releases.

Note that this is not the same bug as Bug 686526, which applies to the
URI created and passed via the --extract-here flag to file-roller. This
is also not the same as the bug with upstream (SourceForge) ID 3096318
(referenced in Bug 686526), which applied to the opening (not executing)
of files with certain associations.

Theoretically, this is a security vulnerabilty, in that it could be
exploited on a multi-user system (or any system that mounts a drive
shared between systems) to cause a user to execute a malicious
executable inside a sticky directory. However, I am not flagging this as
a security vulnerability. Should I? That is one of the reasons I think
its fix, once committed to the upstream git tree, should be backported
to previous versions in Ubuntu. But it seems that the insecurity
produced by this bug is small, while the unusability produced by it is
large and the primary reason it should be fixed.

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: pcmanfm 0.9.7-1ubuntu1
ProcVersionSignature: Ubuntu 2.6.35-24.42-generic 2.6.35.8
Uname: Linux 2.6.35-24-generic x86_64
Architecture: amd64
Date: Thu Dec 23 20:59:07 2010
ExecutablePath: /usr/bin/pcmanfm
InstallationMedia: Xubuntu 10.04 "Lucid Lynx" - Beta amd64 (20100406)
Pref_Config_System_Lubuntu:
 [Preferred Applications]
 WebBrowser=firefox.desktop
 MailClient=
ProcEnviron:
 LANGUAGE=en_US.utf8
 LANG=en_US.utf8
 LC_MESSAGES=en_US.utf8
 SHELL=/bin/bash
RelatedPackageVersions:
 libmenu-cache1 0.3.2-2
 pcmanfm 0.9.7-1ubuntu1
 udisks 1.0.1+git20100614-3
 gvfs 1.6.4-0ubuntu1.1
SourcePackage: pcmanfm

** Affects: pcmanfm
     Importance: Unknown
         Status: Unknown

** Affects: pcmanfm (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug i386 maverick natty

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/693990

Title:
  pcmanfm doesn't escape spaces in filenames it executes

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to