.desktop files, serious security hole, virus-friendliness
Benedikt Meurer
benny at xfce.org
Thu Jan 25 01:44:14 PST 2007
Stanislav Brabec wrote:
> We just got a new bug report. After playing with it, I believe that it
> is a security problem. I am attaching a file, which is not supposed to
> be displayed as image, but it is (you need gnome-desktop package to see
> the icon).
>
> It's enough to save this file to any directory and you execute anything.
> Note, that the file name is "apple.jpg ".
>
> https://bugzilla.novell.com/show_bug.cgi?id=238503
>
> Proposed fix:
> Better .desktop file detection in shared-mime-info (e. g. remove magic).
Hm, I would suggest to fix gnome-vfs instead. For example, the Xfce file
manager identifies this file as possible malware.
Benedikt
More information about the xdg
mailing list