Bug#860268: .desktop files can hide malware in Nautilus
Phil Wyett
philwyett at kathenas.org
Wed Sep 13 14:30:55 UTC 2017
On Wed, 2017-09-13 at 13:36 +0000, Donncha O'Cearbhaill wrote:
> Jeremy Bicha:
> >
> > It's not just a UI change but a translatable string change. The new
> > dialog that users will have to use to mark .desktop's as trusted will
> > be untranslated.
> >
> > Therefore, if you want this feature, you will need to use Nautilus >=
> > 3.24 which means you will need to upgrade to buster.
> >
>
> I understand backporting is more difficult when there are user facing UI
> and localisation changes. AFAIK the only new translatable string in the
> patch is "Trust and _Launch". Would it be possible to include the
> translations for that string with this backport patch?
>
> Personally I don't consider this change a *feature*, it is a fix for a
> serious security issue affecting Debian stable users (and Tails). The
> issue is trivially exploitable against the default configuration.
>
> Video demonstrating the issue:
> https://twitter.com/bleidl/status/851969179980845056
> More information and an example:
> https://github.com/DonnchaC/desktop-file-social-engineering
Hi,
Please note that the debdiff I provided was essentially a raw backport for
testing and I thought it may have issues. It was never meant as a 'here it is,
all done' patch ready for submission as a stable update.
I am a little busy at the moment, but if I can help here, I will.
Regards
Phil
--
*** If this is a mailing list, I am subscribed, no need to CC me.***
Playing the game for the games sake.
Web: https://kathenas.org
Github: https://github.com/kathenas
Twitter: kathenasorg
Instagram: kathenasorg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20170913/b5469d5e/attachment.sig>
More information about the pkg-gnome-maintainers
mailing list