FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 02-24-2009, 05:35 PM
Josselin Mouette
 
Default Security Issue of .desktop files

Le mardi 24 février 2009 * 15:21 -0300, Daniel Ruoso a écrit :
> Last week, an old security issue in desktop environments went through a
> widely public discussion (including on slashdot)[1][2]. As I said, this
> issue is not new[3], but there seem to be no action on the upstream to
> fix it.

On the contrary, there is action upstream to fix it, and Nautilus 2.26
will only launch “safe” .desktop files.

Once it is ready, I’ll have a look whether it is possible to backport
the changes to lenny, but it will probably be non-trivial.

--
.'`. Debian 5.0 "Lenny" has been released!
: :' :
`. `' Last night, Darth Vader came down from planet Vulcan and told
`- me that if you don't install Lenny, he'd melt your brain.
 
Old 02-24-2009, 05:39 PM
Daniel Ruoso
 
Default Security Issue of .desktop files

Em Ter, 2009-02-24 *s 19:35 +0100, Josselin Mouette escreveu:
> Le mardi 24 février 2009 * 15:21 -0300, Daniel Ruoso a écrit :
> > Last week, an old security issue in desktop environments went through a
> > widely public discussion (including on slashdot)[1][2]. As I said, this
> > issue is not new[3], but there seem to be no action on the upstream to
> > fix it.
> On the contrary, there is action upstream to fix it, and Nautilus 2.26
> will only launch “safe” .desktop files.

and what are "safe" .desktop files?

daniel


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-24-2009, 05:53 PM
Yves-Alexis Perez
 
Default Security Issue of .desktop files

On mar, 2009-02-24 at 15:21 -0300, Daniel Ruoso wrote:
> Last week, an old security issue in desktop environments went through a
> widely public discussion (including on slashdot)[1][2]. As I said, this
> issue is not new[3], but there seem to be no action on the upstream to
> fix it.

In Xfce this discussion arised at some time, and Thunar/xfdesktop will
refuse to run “unsafe” .desktop files and present them with the mimetype
x-thunar/suspected-malware.

For the record, this as already been said, for example on
http://article.gmane.org/gmane.comp.freedesktop.xdg/8199

Cheers,
--
Yves-Alexis
 
Old 02-24-2009, 06:11 PM
Daniel Ruoso
 
Default Security Issue of .desktop files

Em Ter, 2009-02-24 *s 19:53 +0100, Yves-Alexis Perez escreveu:
> On mar, 2009-02-24 at 15:21 -0300, Daniel Ruoso wrote:
> > Last week, an old security issue in desktop environments went through a
> > widely public discussion (including on slashdot)[1][2]. As I said, this
> > issue is not new[3], but there seem to be no action on the upstream to
> > fix it.
> In Xfce this discussion arised at some time, and Thunar/xfdesktop will
> refuse to run “unsafe” .desktop files and present them with the mimetype
> x-thunar/suspected-malware.

I'm sorry, but that only address one half of the problem, which nautilus
in Debian also address. But it doesn't prevent desktop files that look
just right to be invoked directly after they are downloaded from a web
browser.

The issue here is about recognizing that .desktop files are executables,
and, as such, must have the x bit set in order to be executed. Consider
the user downloading a file from iceweasel, that sends it directly to
the Desktop. In a single step, the file is available with whatever
appearence it desires to and being able to execute whatever it wants to.

daniel


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-24-2009, 06:27 PM
Yves-Alexis Perez
 
Default Security Issue of .desktop files

On mar, 2009-02-24 at 16:11 -0300, Daniel Ruoso wrote:
> The issue here is about recognizing that .desktop files are executables,
> and, as such, must have the x bit set in order to be executed.

Depending who executes its. On Xfce, a suspected malicious file won't be
executed.

> Consider
> the user downloading a file from iceweasel, that sends it directly to
> the Desktop. In a single step, the file is available with whatever
> appearence it desires to and being able to execute whatever it wants to.

By who? The Browser? Fix the browser?

Cheers,
--
Yves-Alexis
 

Thread Tools




All times are GMT. The time now is 09:07 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org