Bug #14584

Backport security fix for Nautilus .desktop file RCE

Added by DonnchaC 2017-09-01 16:27:45 . Updated 2017-09-02 09:28:29 .

Status:
Rejected
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2017-09-01
Due date:
% Done:

0%

Feature Branch:
Type of work:
Debian
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

There is a major security issue with how Nautilus <= 3.22 handlers .desktop launcher shortcuts. Trusted .desktop launchers are able to run arbitrary code when launched. Any .desktop with the executable bit set are treated as trusted by Nautilus.

This opens an attack where an executable .desktop file can be delivered by an attacker in an archive file. After extraction the .desktop file is displayed with an attacker controlled filename and icon. This vulnerability affects Tails users and was demonstrated in a proof-of-concept with SecureDrop users https://github.com/freedomofpress/securedrop/issues/2238

The security issue was fixed in Nautilus 3.24 but it was not backported to previous versions. Micah Lee has opened a backport request at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860268.

I think it is important that this fix be applied for Tails users as soon as possible. I’m happy to help in any way that I can.

Nautilus bug report: https://bugzilla.gnome.org/show_bug.cgi?id=777991
Debian ticket request backport: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860268


Subtasks


Related issues

Related to Tails - Bug #14793: Custom Desktop launchers are totally buggy Resolved 2017-10-06

History

#1 Updated by mercedes508 2017-09-02 09:28:29

  • Status changed from New to Rejected
  • Priority changed from High to Normal

Thanks for your ticket. But this will be fixed in Debian, as you can see on the Debian bug tracker, we’re on it!

#2 Updated by intrigeri 2017-10-06 05:39:25

  • related to Bug #14793: Custom Desktop launchers are totally buggy added