[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#516008: possible arbitrary code execution from .desktop files in email attachments


Another issue regarding this bug is that noexec is not honored. While e.g. 
Shell Scripts will only be displayed instead of executed on noexec mounted 
Filesystems when you click on them - .desktop Files will be executed 
bypassing noexec security.

> Solution:
> Change .desktop file to execute the command inside only if they have
> +x bit or - better -  change those launcher files so that the first line
> would be #!/usr/bin/desktop-launch, with the rest of the script following
> afterwards. With the execute bit set this would become merely a normal
> script, which is interpreted by the specified separate 'shell' or utility,
> rather than something integrated into the desktop

Just checking the executable bit won't help with the noexec issue, so the 
shebang seems to be the better solution.

The fact that .desktop files can have any Symbol (e.g. like a Openoffice 
Document) but can execute arbitrary *remote* Code makes this issue really 
dangerous for end-users.


Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: