Bug#860268: .desktop files can hide malware in Nautilus
Micah Lee
micah at micahflee.com
Thu Apr 13 19:20:35 UTC 2017
Package: nautilus
Version: 3.22.3-1
There is a bug in Nautilus that makes it possible to disguise a
malicious script as an innocent document, like a PDF or ODT, that gets
executed when the user opens it.
The upstream nautilus issue [1] has already been resolved, and will be
released in nautilus 3.24. But since this is an important security
issue, I think this patch should be backported so that it's fixed in
older versions of Debian.
See this blog post [2] for more about how this bug allows attackers to
compromise the security-focused Debian-based distro Subgraph.
[1] https://bugzilla.gnome.org/show_bug.cgi?id=777991
[2]
https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/
More information about the pkg-gnome-maintainers
mailing list