Bug#860268: .desktop files can hide malware in Nautilus
Donncha O'Cearbhaill
donncha at donncha.is
Thu Sep 7 13:07:00 UTC 2017
intrigeri:
> Control: tag -1 + security
>
> Donncha O'Cearbhaill:
>> Thank you Phil for providing a backport patch. What is the next step
>> needed to get this fix released as a backport? The .desktop security
>> issue is widely know and can be exploited in the wild [1]. IMO this
>> fixed should be made available as soon as possible.
>
> IMO the next step is to find out the answer to "Is there any plan
> upstream to backport this fix to their 3.22.x branch, and/or to
> request a CVE?": if this problem is as severe as it sounds, then it
> should be tracked as a security issue and fixed cross-distro, rather
> than patched in only the distros that are lucky enough to have users
> who care about such things.
>
The upstream developer has indicated that he willing to make a 3.22.x
release if a backport patch is provided. I've sent him a link to Phil
Wyett's debdiff which I hope is acceptable.
I will also file a CVE request for this issue which should help to
coordinate the release of this fix for other distros.
Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=777991
More information about the pkg-gnome-maintainers
mailing list