.desktop files, serious security hole, virus-friendliness

Stanislav Brabec sbrabec at suse.cz
Thu Jan 25 02:13:01 PST 2007


Benedikt Meurer píše v Čt 25. 01. 2007 v 10:44 +0100:
> Stanislav Brabec wrote:
> > We just got a new bug report. After playing with it, I believe that it
> > is a security problem. I am attaching a file, which is not supposed to
> > be displayed as image, but it is (you need gnome-desktop package to see
> > the icon).
> > 
> > It's enough to save this file to any directory and you execute anything.
> > Note, that the file name is "apple.jpg ".
> > 
> > https://bugzilla.novell.com/show_bug.cgi?id=238503
> > 
> > Proposed fix:
> > Better .desktop file detection in shared-mime-info (e. g. remove magic).
> 
> Hm, I would suggest to fix gnome-vfs instead. For example, the Xfce file
> manager identifies this file as possible malware.

I guess that gnome-vfs has no problem, but the problem is too vague
definition of application/x-desktop in shared-mime-info. If you rename
this file to "apple.jpg", nautilus will correctly evaluate MIME type
conflict and will not open it.

But because pattern "*.jpg " has no MIME association, shared-mime-info
offers no warning, that file which conforms defined magic but does not
have name in form "*.desktop" is suspicious.

glob pattern and magic in shared mime info mean: Recognize MIME type, if
file has suffix OR file conforms magic. In this case, we need AND (or
remove magic at all).

-- 
Best Regards / S pozdravem,

Stanislav Brabec
software developer
---------------------------------------------------------------------
SUSE LINUX, s. r. o.                          e-mail: sbrabec at suse.cz
Lihovarská 1060/12                            tel: +420 284 028 966
190 00 Praha 9                                fax: +420 284 028 951
Czech Republic                                http://www.suse.cz/




More information about the xdg mailing list