[Xfce-bugs] [Bug 13329] Hiding filename/extention for .desktop files with execute permission.

bugzilla-daemon at xfce.org bugzilla-daemon at xfce.org
Thu Oct 5 22:13:08 CEST 2017


Yves-Alexis Perez <corsac at debian.org> changed:

           What    |Removed                     |Added
                 CC|                            |corsac at debian.org

--- Comment #3 from Yves-Alexis Perez <corsac at debian.org> ---
The same kind of issue has been assigned CVE-2017-14604 in Nautilus. See also 

https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/ and 

The executable bit protection can be somehow bypassed by for example shipping a
tarball which would be extracted by an user. For Nautilus it's even worse
because apparently if the .desktop file is called foo.desktop.pdf it'll be
displayed as a PDF icon but handled as a .desktop file.

Nautilus fixed it by storing the “executable” / “trusted” information in a
metadata, which is apparently a gio/gvfs stuff, stored on the filesystem in
XDG_DATA_DIR/gvfs-metadata (usually .local/share/gvfs-metadata), which is
supposingly not reachable when extracting a tarball (unless there's a directory
traversal vulnerability in the extraction process).

I'm not sure if something like that applies to Thunar, but it'd be nice to have
additional hardening.

You are receiving this mail because:
You are the assignee for the bug.

More information about the Xfce-bugs mailing list