Bug#408556: SECURITY: Incorrect MIME type detection can trick
users into running arbitrary commands
Loïc Minier
lool at dooz.org
Mon Jan 29 15:13:27 CET 2007
clone 408556 -1
reassign 408556 nautilus
retitle -1 SECURITY: Specially crafted .desktop files can disguise as harmless files
stop
Hi,
Since it wasn't clear for everybody reading this bug: Debian #408556 is
about the fact that files with unknown extensions (e.g. ".jpg ", mind
the final space), but executable contents (such a .desktop file), can
trick users into running arbitrary command.
This is a security problem because you can trick users into saving a
file named e.g. "apple.jpg " and opening it because they might think
opening .jpg files is safe, but gnome-vfs/shared-mime-info will report
the MIME type as being ".desktop file" and nautilus will run the
specified command instead of opening the .jpg viewer.
The proposed solution for this bug is to check whether the file uses
the correct extension for its MIME type as is done in Xfce's VFS lib
(see attached .c snippet).
I'm cloning this bug and reassigning against nautilus because the
current way in which .desktop files are painted in nautilus is a
security issue in itself: people can host dangerous files on smb://
shares and trick users into opening them because nautilus will display
the .desktop file using its embedded "Name" and "Icon"; so you can
display the .desktop file as if it were a picture or sound file with
the name of a picture or sound file, and people will be tricked into
opening it with no useful way to distinguish.
The proposed solution for this bug is to filter for which URLs nautilus
is allowed to nicely display .desktop files. http:// and smb:// could
be disabled by default and file:// and computer:// could be enabled,
but some special URLs need to be explicitely authorized as nautilus
relies on .desktop files support in e.g. smb://$workgroup/ to list
computer names.
Bye,
--
Loïc Minier <lool at dooz.org>
More information about the Pkg-gnome-maintainers
mailing list