Bug#498867: Nautilus shows a preview of other users files even when the permissions are 700

Manuel Del Moral migiwaza at gmail.com
Sat Sep 13 22:24:23 UTC 2008 

Package: nautilus

Status: install ok installed

Priority: optional

Section: gnome

Installed-Size: 1408

Maintainer: Josselin Mouette <joss at debian.org>

Architecture: i386

Source: nautilus (2.14.3-11)

Version: 2.14.3-11+b1

Replaces: libnautilus2-2

Depends: libart-2.0-2 (>= 2.3.16), libatk1.0-0 (>= 1.12.2), libbonobo2-0 (>=
2.13.0), libc6 (>= 2.3.6-6), libeel2-2.14, libesd0 (>= 0.2.35) |
libesd-alsa0 (>= 0.2.35), libexif12, libgail-common (>= 1.6.6), libgail17
(>= 1.6.6), libgconf2-4 (>= 2.13.5), libglade2-0 (>= 1:2.5.1), libglib2.0-0
(>= 2.12.0), libgnome-desktop-2 (>= 2.11.1), libgnome2-0 (>= 2.14.1),
libgnomecanvas2-0 (>= 2.11.1), libgnomeui-0 (>= 2.13.0), libgnomevfs2-0 (>=
2.13.92), libgtk2.0-0 (>= 2.8.0), libnautilus-extension1 (>= 2.14.0),
liborbit2 (>= 1:2.14.1), libpango1.0-0 (>= 1.14.8), libpopt0 (>= 1.10),
librsvg2-2 (>= 2.12.7), libstartup-notification0 (>= 0.8-1), libx11-6,
libxml2 (>= 2.6.27), nautilus-data (= 2.14.3-11), shared-mime-info,
gnome-control-center (>= 2.6), desktop-file-utils (>= 0.7)

Recommends: desktop-base (>= 0.2), eject, nautilus-cd-burner (>= 2.6),
librsvg2-common, libgnomevfs2-extra, fam

Suggests: eog, evince | pdf-viewer, totem | mp3-decoder

Conflicts: libnautilus2-2, libnautilus2-dev

Description: file manager and graphical shell for GNOME

 Nautilus is the official file manager for the GNOME desktop. It allows

 to browse directories, preview files and launch applications associated

 with them. It is also responsible for handling the icons on the GNOME

 desktop. It works on local and remote filesystems.

 .

 Several icon themes and components for viewing different kinds of files

 are available in separate packages.

 .

 URL: http://www.gnome.org/projects/nautilus/

 

Subject: gnome: Nautilus shows a preview of other users files even when the
permissions are 700

Package: Nautilus 2.14.3-11+b1

Severity: grave

Justification: user security hole

Tags: security

 

*** Please type your report below this line ***

If you have a JPG or other image, Nautilus shows a small preview of the 

file to other users with access to the folder, even with no permissions to
read the file. It should NEVER show the small thumbnail, as it offers
sufficient information to anybody that should not access this info. I attach
a printscreen where you can see a file called "carolNY.jpg", with
permissions 600. Nautilus was launched from another user, and it was
possible to see the thumbnail, as shown in the printscreen.

You have refused a previous bug submit because it had no package. I'm
including the package name and version that I think it is failing.

 

-- System Information:

Debian Release: 4.0

  APT prefers oldstable

  APT policy: (500, 'oldstable'), (500, 'stable')

Architecture: i386 (i686)

Shell:  /bin/sh linked to /bin/bash

Kernel: Linux 2.6.18-6-686

Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20080913/7b4d0324/attachment-0001.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Pantallazo.png
Type: image/png
Size: 165549 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20080913/7b4d0324/attachment-0001.png

More information about the pkg-gnome-maintainers mailing list