[Xfce-bugs] [Bug 13329] Hiding filename/extention for .desktop files with execute permission.

bugzilla-daemon at xfce.org bugzilla-daemon at xfce.org
Thu Oct 5 22:13:08 CEST 2017


https://bugzilla.xfce.org/show_bug.cgi?id=13329

Yves-Alexis Perez <corsac at debian.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |corsac at debian.org

--- Comment #3 from Yves-Alexis Perez <corsac at debian.org> ---
The same kind of issue has been assigned CVE-2017-14604 in Nautilus. See also 

https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/ and 
https://bugzilla.gnome.org/show_bug.cgi?id=777991
https://github.com/GNOME/nautilus/commit/1630f53481f445ada0a455e9979236d31a8d3bb0

The executable bit protection can be somehow bypassed by for example shipping a
tarball which would be extracted by an user. For Nautilus it's even worse
because apparently if the .desktop file is called foo.desktop.pdf it'll be
displayed as a PDF icon but handled as a .desktop file.

Nautilus fixed it by storing the “executable” / “trusted” information in a
metadata, which is apparently a gio/gvfs stuff, stored on the filesystem in
XDG_DATA_DIR/gvfs-metadata (usually .local/share/gvfs-metadata), which is
supposingly not reachable when extracting a tarball (unless there's a directory
traversal vulnerability in the extraction process).

I'm not sure if something like that applies to Thunar, but it'd be nice to have
additional hardening.

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the Xfce-bugs mailing list