Bug#860268: [Fwd: Re: Bug#860268: .desktop files can hide malware in Nautilus]
Phil Wyett
philwyett at kathenas.org
Wed Oct 11 18:34:18 UTC 2017
On Sat, 2017-10-07 at 21:06 +0200, Yves-Alexis Perez wrote:
> On Thu, 2017-10-05 at 21:42 +0200, Yves-Alexis Perez wrote:
> > On Sat, 2017-09-23 at 01:38 +0100, Phil Wyett wrote:
> > > Hi Security Team,
> > > >
> > > > Please accept the attached 'nautilus' debdiff for stretch-security.
> > > >
> > > > Info:
> > > >
> > > > The debdiff is a backport of the fix from upstream[1] and includes
> > > > translations
> > > > for the UI changes.
> > > >
> > > > [1]: https://github.com/GNOME/nautilus/commit/1630f53481f445ada0a455e997
> > > > 9236d3
> > > > 1a
> > > > 8d3bb0
> >
> > Hi Phil,
> >
> > the debdiff looks good, but please use +deb9u1 as suffix for the version
> > number. You may then proceed with the upload to security-master.
> >
> > Note that since it's the first nautilus security upload to stretch it needs
> > to
> > be build with -sa.
> >
> > You can safely upload a source-only upload, but you need to remove the
> > .buildinfo from the changes file before uploading.
>
> I'll take care of the upload. Do you intend to backport the patches to Jessie?
>
> Regards,
Hi all,
I have looked at both 'jessie' and 'wheezy'. Both are not affected by this
specific issue and have mechanism(s) like stretch (with update) and newer
versions of nautilus that display and require input when confronted with certain
file types.
Screenshot attached showing how 'jessie' and 'wheezy' react to the example
attack desktop file.
If someone else wished to validate this, please feel free.
Regards
Phil
--
*** If this is a mailing list, I am subscribed, no need to CC me.***
Playing the game for the games sake.
Web: https://kathenas.org
GitLab: https://gitlab.com/kathenas
Twitter: kathenasorg
Instagram: kathenasorg
GPG: 1B97 6556 913F 73F3 9C9B 25C4 2961 D9B6 2017 A57A
-------------- next part --------------
A non-text attachment was scrubbed...
Name: screeenshot_jessie.png
Type: image/png
Size: 74997 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20171011/34ccc131/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: screenshot_wheezy.png
Type: image/png
Size: 91174 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20171011/34ccc131/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20171011/34ccc131/attachment-0001.sig>
More information about the pkg-gnome-maintainers
mailing list