Bug#860268: .desktop files can hide malware in Nautilus

Micah Lee micah at micahflee.com
Thu Apr 13 19:20:35 UTC 2017

Package: nautilus
Version: 3.22.3-1

There is a bug in Nautilus that makes it possible to disguise a
malicious script as an innocent document, like a PDF or ODT, that gets
executed when the user opens it.

The upstream nautilus issue [1] has already been resolved, and will be
released in nautilus 3.24. But since this is an important security
issue, I think this patch should be backported so that it's fixed in
older versions of Debian.

See this blog post [2] for more about how this bug allows attackers to
compromise the security-focused Debian-based distro Subgraph.

[1] https://bugzilla.gnome.org/show_bug.cgi?id=777991

More information about the pkg-gnome-maintainers mailing list