Red Hat Security Advisory 2018-0223-01 - Nautilus is the file manager and graphical shell for the GNOME desktop. Security Fix: An untrusted .desktop file with executable permission set could choose its displayed name and icon, and execute commands without warning when opened by the user. An attacker could use this flaw to trick a user into opening a .desktop file disguised as a document, such as a PDF, and execute arbitrary commands. Note: This update will change the behavior of Nautilus. Nautilus will now prompt the user for confirmation when executing an untrusted .desktop file for the first time, and then add it to the trusted file list. Desktop files stored in the system directory, as specified by the XDG_DATA_DIRS environment variable, are always considered trusted and executed without prompt.
711d572be4e6502a88c9e3ecdba7b30faf259488211721ff7c708ff3a15c3f0aDebian Linux Security Advisory 3994-1 - Christian BoxdAPrfer discovered a vulnerability in the handling of FreeDesktop.org .desktop files in Nautilus, a file manager for the GNOME desktop environment. An attacker can craft a .desktop file intended to run malicious commands but displayed as a innocuous document file in Nautilus. An user would then trust it and open the file, and Nautilus would in turn execute the malicious content. Nautilus protection of only trusting .desktop files with executable permission can be bypassed by shipping the .desktop file inside a tarball.
3715d208820664621570bc5d85aecbd5c86a5bc7ae5fc046cc22288a7e55adc3
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed