Re: Security Issue of .desktop files

To: debian-devel@lists.debian.org
Subject: Re: Security Issue of .desktop files
From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
Date: Tue, 24 Feb 2009 17:33:21 -0500
Message-id: <[🔎] 20090224173321.9adf50c0.michael.s.gilbert@gmail.com>
In-reply-to: <[🔎] 1235513382.7176.69.camel@cajueiro>
References: <[🔎] 1235499662.7176.29.camel@cajueiro> <[🔎] 1235501637.30491.7.camel@hidalgo> <[🔎] 1235502717.7176.36.camel@cajueiro> <[🔎] 1235503670.30491.10.camel@hidalgo> <[🔎] 1235507577.7176.48.camel@cajueiro> <[🔎] 20090224163333.df6d1839.michael.s.gilbert@gmail.com> <[🔎] 1235511318.7176.65.camel@cajueiro> <[🔎] 1235512382.30491.18.camel@hidalgo> <[🔎] 1235513382.7176.69.camel@cajueiro>

On Tue, 24 Feb 2009 19:09:42 -0300, Daniel Ruoso wrote:
> > > So if a .desktop file appears in the user's Desktop without the x bit
> > > set and the user clicks it, it won't get executed..
> > Not exactly. The “safe” .desktop file was in the link I pasted on
> > another mail in the thread:
> 
> So if the launcher use a plain name like "Nude Shots", it will get
> executed?

I think I need to retract my previous statement.  It looks like the XFCE
desktop itself is fairly safe (since it never actually
executes .desktop files), but thunar isn't. For example, here is
a .desktop file that looks like it is iceweasel, but really it
downloads an essentially random file, but I could have made it do
pretty much anything.

<filename: random.desktop>
[Desktop Entry]
Version=1.0
Name=Iceweasel
Exec=wget http://people.debian.org/~joeyh/d-i/images/daily/stats.txt
Icon=/usr/share/pixmaps/iceweasel.png

The user is not warned that this may be malicious, it has the
iceweasel icon and name, and runs without prompt when clicked on in
thunar.

Mike

Reply to:

Follow-Ups:
- Re: Security Issue of .desktop files
  - From: Yves-Alexis Perez <corsac@debian.org>

References:
- Security Issue of .desktop files
  - From: Daniel Ruoso <daniel@ruoso.com>
- Re: Security Issue of .desktop files
  - From: Yves-Alexis Perez <corsac@debian.org>
- Re: Security Issue of .desktop files
  - From: Daniel Ruoso <daniel@ruoso.com>
- Re: Security Issue of .desktop files
  - From: Yves-Alexis Perez <corsac@debian.org>
- Re: Security Issue of .desktop files
  - From: Daniel Ruoso <daniel@ruoso.com>
- Re: Security Issue of .desktop files
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
- Re: Security Issue of .desktop files
  - From: Daniel Ruoso <daniel@ruoso.com>
- Re: Security Issue of .desktop files
  - From: Yves-Alexis Perez <corsac@debian.org>
- Re: Security Issue of .desktop files
  - From: Daniel Ruoso <daniel@ruoso.com>

Prev by Date: Re: Bug #513073 - debhelper impossible to unpack on Win32 due to case insensitivity - please reopen
Next by Date: Re: Bug #513073 - debhelper impossible to unpack on Win32 due to case insensitivity - please reopen
Previous by thread: Re: Security Issue of .desktop files
Next by thread: Re: Security Issue of .desktop files
Index(es):
- Date
- Thread