.desktop files, serious security hole, virus-friendliness

Stanislav Brabec sbrabec at suse.cz
Thu Jan 25 01:19:21 PST 2007


Rodney Dawes wrote:
> First off, you apparently missed the whole thread about this, which was
> started on March 23. You might want to look at the archives and read
> through it. The replies extend into April.
> 
> http://lists.freedesktop.org/archives/xdg/2006-March/007904.html
> 
> 
> On Sun, 2006-04-02 at 22:29 -0700, Sam Watkins wrote:
> > 1. do you agree that this is a serious security problem?
> 
> I don't think it is a serious security problem. While it does expose
> the ability to run shell commands from the .desktop file, it doesn't
> seem likely that many people will do it. I mean, Windows has had
> shortcut files which are pretty much exactly the same as our .desktop
> files, and you never hear of anyone doing specific attacks like you
> suggest would be done. There are much more interesting ways to do them,
> than to have a .desktop file with an icon/label that lies about itself.

We just got a new bug report. After playing with it, I believe that it
is a security problem. I am attaching a file, which is not supposed to
be displayed as image, but it is (you need gnome-desktop package to see
the icon).

It's enough to save this file to any directory and you execute anything.
Note, that the file name is "apple.jpg ".

https://bugzilla.novell.com/show_bug.cgi?id=238503

Proposed fix:

Better .desktop file detection in shared-mime-info (e. g. remove magic).

-- 
Best Regards / S pozdravem,

Stanislav Brabec
software developer
---------------------------------------------------------------------
SUSE LINUX, s. r. o.                          e-mail: sbrabec at suse.cz
Lihovarská 1060/12                            tel: +420 284 028 966
190 00 Praha 9                                fax: +420 284 028 951
Czech Republic                                http://www.suse.cz/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: apple.jpg
Type: application/x-desktop
Size: 100 bytes
Desc: not available
Url : http://lists.freedesktop.org/archives/xdg/attachments/20070125/00456866/attachment.bin 


More information about the xdg mailing list