.desktop files, serious security hole, virus-friendliness
Stanislav Brabec
sbrabec at suse.cz
Thu Jan 25 02:13:01 PST 2007
Benedikt Meurer píše v Čt 25. 01. 2007 v 10:44 +0100:
> Stanislav Brabec wrote:
> > We just got a new bug report. After playing with it, I believe that it
> > is a security problem. I am attaching a file, which is not supposed to
> > be displayed as image, but it is (you need gnome-desktop package to see
> > the icon).
> >
> > It's enough to save this file to any directory and you execute anything.
> > Note, that the file name is "apple.jpg ".
> >
> > https://bugzilla.novell.com/show_bug.cgi?id=238503
> >
> > Proposed fix:
> > Better .desktop file detection in shared-mime-info (e. g. remove magic).
>
> Hm, I would suggest to fix gnome-vfs instead. For example, the Xfce file
> manager identifies this file as possible malware.
I guess that gnome-vfs has no problem, but the problem is too vague
definition of application/x-desktop in shared-mime-info. If you rename
this file to "apple.jpg", nautilus will correctly evaluate MIME type
conflict and will not open it.
But because pattern "*.jpg " has no MIME association, shared-mime-info
offers no warning, that file which conforms defined magic but does not
have name in form "*.desktop" is suspicious.
glob pattern and magic in shared mime info mean: Recognize MIME type, if
file has suffix OR file conforms magic. In this case, we need AND (or
remove magic at all).
--
Best Regards / S pozdravem,
Stanislav Brabec
software developer
---------------------------------------------------------------------
SUSE LINUX, s. r. o. e-mail: sbrabec at suse.cz
Lihovarská 1060/12 tel: +420 284 028 966
190 00 Praha 9 fax: +420 284 028 951
Czech Republic http://www.suse.cz/
More information about the xdg
mailing list