Rodney Dawes wrote: > First off, you apparently missed the whole thread about this, which was > started on March 23. You might want to look at the archives and read > through it. The replies extend into April. > > http://lists.freedesktop.org/archives/xdg/2006-March/007904.html > > > On Sun, 2006-04-02 at 22:29 -0700, Sam Watkins wrote: > > 1. do you agree that this is a serious security problem? > > I don't think it is a serious security problem. While it does expose > the ability to run shell commands from the .desktop file, it doesn't > seem likely that many people will do it. I mean, Windows has had > shortcut files which are pretty much exactly the same as our .desktop > files, and you never hear of anyone doing specific attacks like you > suggest would be done. There are much more interesting ways to do them, > than to have a .desktop file with an icon/label that lies about itself.
We just got a new bug report. After playing with it, I believe that it is a security problem. I am attaching a file, which is not supposed to be displayed as image, but it is (you need gnome-desktop package to see the icon). It's enough to save this file to any directory and you execute anything. Note, that the file name is "apple.jpg ". https://bugzilla.novell.com/show_bug.cgi?id=238503 Proposed fix: Better .desktop file detection in shared-mime-info (e. g. remove magic). -- Best Regards / S pozdravem, Stanislav Brabec software developer --------------------------------------------------------------------- SUSE LINUX, s. r. o. e-mail: [EMAIL PROTECTED] Lihovarská 1060/12 tel: +420 284 028 966 190 00 Praha 9 fax: +420 284 028 951 Czech Republic http://www.suse.cz/
<<attachment: apple.jpg>>
_______________________________________________ xdg mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/xdg
