https://bugzilla.xfce.org/show_bug.cgi?id=13329
Yves-Alexis Perez <cor...@debian.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |cor...@debian.org
--- Comment #3 from Yves-Alexis Perez <cor...@debian.org> ---
The same kind of issue has been assigned CVE-2017-14604 in Nautilus. See also
https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/ and
https://bugzilla.gnome.org/show_bug.cgi?id=777991
https://github.com/GNOME/nautilus/commit/1630f53481f445ada0a455e9979236d31a8d3bb0
The executable bit protection can be somehow bypassed by for example shipping a
tarball which would be extracted by an user. For Nautilus it's even worse
because apparently if the .desktop file is called foo.desktop.pdf it'll be
displayed as a PDF icon but handled as a .desktop file.
Nautilus fixed it by storing the “executable” / “trusted” information in a
metadata, which is apparently a gio/gvfs stuff, stored on the filesystem in
XDG_DATA_DIR/gvfs-metadata (usually .local/share/gvfs-metadata), which is
supposingly not reachable when extracting a tarball (unless there's a directory
traversal vulnerability in the extraction process).
I'm not sure if something like that applies to Thunar, but it'd be nice to have
additional hardening.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Xfce-bugs mailing list
Xfce-bugs@xfce.org
https://mail.xfce.org/mailman/listinfo/xfce-bugs
