Bug#408556: SECURITY: Incorrect MIME type detection can trick users into running arbitrary commands

Loïc Minier lool at dooz.org
Wed Feb 7 10:41:31 CET 2007 

# Woops, messed up with the retitles.
# nautilus
retitle 408556 SECURITY: Specially crafted .desktop files can disguise as harmless files
# gnome-vfs2
retitle 408948 SECURITY: Incorrect MIME type detection can trick users into running arbitrary commands
stop


On Mon, Jan 29, 2007, Loïc Minier wrote:
> clone 408556 -1
> reassign 408556 nautilus
> retitle -1 SECURITY: Specially crafted .desktop files can disguise as harmless files
> stop
> 
>         Hi,
> 
>  Since it wasn't clear for everybody reading this bug: Debian #408556 is
>  about the fact that files with unknown extensions (e.g.  ".jpg ", mind
>  the final space), but executable contents (such a .desktop file), can
>  trick users into running arbitrary command.
> 
>  This is a security problem because you can trick users into saving a
>  file named e.g. "apple.jpg " and opening it because they might think
>  opening .jpg files is safe, but gnome-vfs/shared-mime-info will report
>  the MIME type as being ".desktop file" and nautilus will run the
>  specified command instead of opening the .jpg viewer.
> 
>  The proposed solution for this bug is to check whether the file uses
>  the correct extension for its MIME type as is done in Xfce's VFS lib
>  (see attached .c snippet).
> 
> 
>  I'm cloning this bug and reassigning against nautilus because the
>  current way in which .desktop files are painted in nautilus is a
>  security issue in itself: people can host dangerous files on smb://
>  shares and trick users into opening them because nautilus will display
>  the .desktop file using its embedded "Name" and "Icon"; so you can
>  display the .desktop file as if it were a picture or sound file with
>  the name of a picture or sound file, and people will be tricked into
>  opening it with no useful way to distinguish.
> 
>  The proposed solution for this bug is to filter for which URLs nautilus
>  is allowed to nicely display .desktop files.  http:// and smb:// could
>  be disabled by default and file:// and computer:// could be enabled,
>  but some special URLs need to be explicitely authorized as nautilus
>  relies on .desktop files support in e.g.  smb://$workgroup/ to list
>  computer names.
> 
>    Bye,
> -- 
> Loïc Minier <lool at dooz.org>
> 
> 

-- 
Loïc Minier <lool at dooz.org>

More information about the Pkg-gnome-maintainers mailing list