Bug#860268: .desktop files can hide malware in Nautilus
Donncha O'Cearbhaill
donncha at donncha.is
Wed Sep 13 13:36:00 UTC 2017
Jeremy Bicha:
>
> It's not just a UI change but a translatable string change. The new
> dialog that users will have to use to mark .desktop's as trusted will
> be untranslated.
>
> Therefore, if you want this feature, you will need to use Nautilus >=
> 3.24 which means you will need to upgrade to buster.
>
I understand backporting is more difficult when there are user facing UI
and localisation changes. AFAIK the only new translatable string in the
patch is "Trust and _Launch". Would it be possible to include the
translations for that string with this backport patch?
Personally I don't consider this change a *feature*, it is a fix for a
serious security issue affecting Debian stable users (and Tails). The
issue is trivially exploitable against the default configuration.
Video demonstrating the issue:
https://twitter.com/bleidl/status/851969179980845056
More information and an example:
https://github.com/DonnchaC/desktop-file-social-engineering
More information about the pkg-gnome-maintainers
mailing list