Bug#860268: .desktop files can hide malware in Nautilus
Donncha O'Cearbhaill
donncha at donncha.is
Thu Sep 7 13:34:00 UTC 2017
The upstream developer has now indicated that they will not be
backporting the fix to 3.22.x. They have a policy of not backporting
fixes which involve UI changes in stable branches.
Will Debian backport this issue themselves? I have requested a CVE which
I hope will help other distros to coordinate their fixes.
Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=777991
intrigeri:
> Control: tag -1 + security
>
> Donncha O'Cearbhaill:
>> Thank you Phil for providing a backport patch. What is the next step
>> needed to get this fix released as a backport? The .desktop security
>> issue is widely know and can be exploited in the wild [1]. IMO this
>> fixed should be made available as soon as possible.
>
> IMO the next step is to find out the answer to "Is there any plan
> upstream to backport this fix to their 3.22.x branch, and/or to
> request a CVE?": if this problem is as severe as it sounds, then it
> should be tracked as a security issue and fixed cross-distro, rather
> than patched in only the distros that are lucky enough to have users
> who care about such things.
>
More information about the pkg-gnome-maintainers
mailing list