** Description changed:

  Binary package hint: pcmanfm
  
  When you double-click on a file to execute in pcmanfm, this will only
  succeed if there are no spaces in its absolute path. Spaces in the
  filename or in any directories in the file's full path are not escaped
  -- consequently, double-clicking on a file with its executable bit set
  results in pcmanfm attempting to execute the file whose path consists of
  all the characters in the original file's path before the first space.
- (Typically that file would not exist.)
+ (Typically that file, if different from the original, would not exist.)
  
  I have already reproduced this bug with the latest upstream git sources and 
reported it on the upstream tracker:
  
http://sourceforge.net/tracker/?func=detail&aid=3143296&group_id=156956&atid=801864
  
  This bug is also either similar or idential to a bug previously reported last 
month, which was believed to be fixed in the latest git sources and marked 
out-of-date on the upstream tracker:
  
http://sourceforge.net/tracker/?func=detail&aid=3101059&group_id=156956&atid=801864
  
  The reason I am filing a report here even though I have no reason to
  think the issue is specific to Ubuntu and I have reported it upstream,
  is that it seems to me that this bug is significant enough that, once
  fixed, the fix ought to be backported to pcmanfm in supported Ubuntu
  releases.
  
  Note that this is not the same bug as Bug 686526, which applies to the
  URI created and passed via the --extract-here flag to file-roller. This
  is also not the same as the bug with upstream (SourceForge) ID 3096318
  (referenced in Bug 686526), which applied to the opening (not executing)
  of files with certain associations.
  
  Theoretically, this is a security vulnerabilty, in that it could be
  exploited on a multi-user system (or any system that mounts a drive
  shared between systems) to cause a user to execute a malicious
  executable inside a sticky directory. However, I am not flagging this as
  a security vulnerability. Should I? That is one of the reasons I think
  its fix, once committed to the upstream git tree, should be backported
  to previous versions in Ubuntu. But it seems that the insecurity
  produced by this bug is small, while the unusability produced by it is
  large the primary reason it should be fixed.
  
  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: pcmanfm 0.9.7-1ubuntu1
  ProcVersionSignature: Ubuntu 2.6.35-24.42-generic 2.6.35.8
  Uname: Linux 2.6.35-24-generic x86_64
  Architecture: amd64
  Date: Thu Dec 23 20:59:07 2010
  ExecutablePath: /usr/bin/pcmanfm
  InstallationMedia: Xubuntu 10.04 "Lucid Lynx" - Beta amd64 (20100406)
  Pref_Config_System_Lubuntu:
-  [Preferred Applications]
-  WebBrowser=firefox.desktop
-  MailClient=
+  [Preferred Applications]
+  WebBrowser=firefox.desktop
+  MailClient=
  ProcEnviron:
-  LANGUAGE=en_US.utf8
-  LANG=en_US.utf8
-  LC_MESSAGES=en_US.utf8
-  SHELL=/bin/bash
+  LANGUAGE=en_US.utf8
+  LANG=en_US.utf8
+  LC_MESSAGES=en_US.utf8
+  SHELL=/bin/bash
  RelatedPackageVersions:
-  libmenu-cache1 0.3.2-2
-  pcmanfm 0.9.7-1ubuntu1
-  udisks 1.0.1+git20100614-3
-  gvfs 1.6.4-0ubuntu1.1
+  libmenu-cache1 0.3.2-2
+  pcmanfm 0.9.7-1ubuntu1
+  udisks 1.0.1+git20100614-3
+  gvfs 1.6.4-0ubuntu1.1
  SourcePackage: pcmanfm

** Description changed:

  Binary package hint: pcmanfm
  
  When you double-click on a file to execute in pcmanfm, this will only
  succeed if there are no spaces in its absolute path. Spaces in the
  filename or in any directories in the file's full path are not escaped
  -- consequently, double-clicking on a file with its executable bit set
  results in pcmanfm attempting to execute the file whose path consists of
  all the characters in the original file's path before the first space.
  (Typically that file, if different from the original, would not exist.)
  
  I have already reproduced this bug with the latest upstream git sources and 
reported it on the upstream tracker:
  
http://sourceforge.net/tracker/?func=detail&aid=3143296&group_id=156956&atid=801864
  
  This bug is also either similar or idential to a bug previously reported last 
month, which was believed to be fixed in the latest git sources and marked 
out-of-date on the upstream tracker:
  
http://sourceforge.net/tracker/?func=detail&aid=3101059&group_id=156956&atid=801864
  
  The reason I am filing a report here even though I have no reason to
  think the issue is specific to Ubuntu and I have reported it upstream,
  is that it seems to me that this bug is significant enough that, once
  fixed, the fix ought to be backported to pcmanfm in supported Ubuntu
  releases.
  
  Note that this is not the same bug as Bug 686526, which applies to the
  URI created and passed via the --extract-here flag to file-roller. This
  is also not the same as the bug with upstream (SourceForge) ID 3096318
  (referenced in Bug 686526), which applied to the opening (not executing)
  of files with certain associations.
  
  Theoretically, this is a security vulnerabilty, in that it could be
  exploited on a multi-user system (or any system that mounts a drive
  shared between systems) to cause a user to execute a malicious
  executable inside a sticky directory. However, I am not flagging this as
  a security vulnerability. Should I? That is one of the reasons I think
  its fix, once committed to the upstream git tree, should be backported
  to previous versions in Ubuntu. But it seems that the insecurity
  produced by this bug is small, while the unusability produced by it is
- large the primary reason it should be fixed.
+ large and the primary reason it should be fixed.
  
  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: pcmanfm 0.9.7-1ubuntu1
  ProcVersionSignature: Ubuntu 2.6.35-24.42-generic 2.6.35.8
  Uname: Linux 2.6.35-24-generic x86_64
  Architecture: amd64
  Date: Thu Dec 23 20:59:07 2010
  ExecutablePath: /usr/bin/pcmanfm
  InstallationMedia: Xubuntu 10.04 "Lucid Lynx" - Beta amd64 (20100406)
  Pref_Config_System_Lubuntu:
   [Preferred Applications]
   WebBrowser=firefox.desktop
   MailClient=
  ProcEnviron:
   LANGUAGE=en_US.utf8
   LANG=en_US.utf8
   LC_MESSAGES=en_US.utf8
   SHELL=/bin/bash
  RelatedPackageVersions:
   libmenu-cache1 0.3.2-2
   pcmanfm 0.9.7-1ubuntu1
   udisks 1.0.1+git20100614-3
   gvfs 1.6.4-0ubuntu1.1
  SourcePackage: pcmanfm

** Bug watch added: SourceForge.net Tracker #3143296
   http://sourceforge.net/support/tracker.php?aid=3143296

** Also affects: pcmanfm via
   http://sourceforge.net/support/tracker.php?aid=3143296
   Importance: Unknown
       Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/693990

Title:
  pcmanfm doesn't escape spaces in filenames it executes

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to