Bug#515104: closed by Josselin Mouette <joss at debian.org> (Bug#515104: fixed in nautilus 2.26.2-1)
Josselin Mouette
joss at debian.org
Sat Apr 25 17:56:43 UTC 2009
Le samedi 25 avril 2009 à 13:34 -0400, Michael S. Gilbert a écrit :
> On Sat, 25 Apr 2009 01:15:11 +0000 Debian Bug Tracking System wrote:
> > This is an automatic notification regarding your Bug report
> > which was filed against the nautilus package:
> >
> > #515104: nautilus: potential exploits via application launchers
>
> awesome! any chance of backporting this to lenny (and perhaps etch), or
> are the changes too substantial?
The changes are already substantial compared to nautilus 2.24, but 2.20
in lenny is a quite different codebase (GIO vs. GnomeVFS). I presume it
would be a lot of work to do the porting, but it is probably feasible,
maybe by extending the existing patches that check for .desktop files
safety.
It may be simpler to cater for the most obvious attack vector, by making
epiphany and iceweasel refuse to store files with names ending
in .desktop.
Cheers,
--
.''`. Josselin Mouette
: :' :
`. `' “I recommend you to learn English in hope that you in
`- future understand things” -- Jörg Schilling
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message num?riquement sign?e
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20090425/dfff36e4/attachment.pgp>
More information about the pkg-gnome-maintainers
mailing list