[Pkg-xfce-devel] Bug#517020: Security issues of .desktop launchers
Éric Araujo
merwok at netwok.org
Sat Jan 9 15:32:17 UTC 2010
Package: thunar
Severity: normal
Hello.
>> Anyway, I'm not really sure of the severity, it's not that easy to
>> exploit, and exploited anyway. I'll summarize that upstream and
>> decide then.
> it is in fact trivial to exploit:
>
> 1. place malicious launcher (one that downloads and executes your
> malicious script or executable, aka trojan) on a popular website,
> bittorrent, ftp, etc.
> 2. wait for unsuspecting user to visit site, download the launcher, and
> eventually wonder what that new icon does.
> 3. success.
Downloaded files don’t have the executable bit set, do they? So clicking
on the launcher would not execute it.
Kind regards
-- System Information:
Debian Release: squeeze
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.30-2-686 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages thunar depends on:
ii desktop-file-utils 0.15-2 Utilities for .desktop files
ii exo-utils 0.3.106-1 Utility files for libexo
ii libatk1.0-0 1.28.0-1 The ATK accessibility toolkit
ii libc6 2.10.2-2 GNU C Library: Shared libraries
ii libcairo2 1.8.8-2 The Cairo 2D vector graphics libra
ii libdbus-1-3 1.2.16-2 simple interprocess messaging syst
ii libdbus-glib-1-2 0.82-2 simple interprocess messaging syst
ii libexo-0.3-0 0.3.106-1 Library with extensions for Xfce
ii libfreetype6 2.3.11-1 FreeType 2 font engine, shared lib
ii libglib2.0-0 2.22.3-1 The GLib library of C routines
ii libgtk2.0-0 2.18.3-1 The GTK+ graphical user interface
ii libice6 2:1.0.6-1 X11 Inter-Client Exchange library
ii libpango1.0-0 1.26.2-1 Layout and rendering of internatio
ii libsm6 2:1.1.1-1 X11 Session Management library
ii libthunar-vfs-1-2 1.0.1-2 VFS abstraction used in thunar
ii libx11-6 2:1.3.2-1 X11 client-side library
ii libxfce4util4 4.6.1-1 Utility functions library for Xfce
ii shared-mime-info 0.70-1 FreeDesktop.org shared MIME databa
ii thunar-data 1.0.1-2 Provides thunar documentation, ico
Versions of packages thunar recommends:
ii dbus-x11 1.2.16-2 simple interprocess messaging syst
ii gamin 0.1.10-2 File and directory monitoring syst
ii hal 0.5.14-1 Hardware Abstraction Layer
ii thunar-volman 0.3.80-3 Thunar extension for volumes manag
ii xdg-user-dirs 0.10-1 tool to manage well known user dir
ii xfce4-panel 4.6.2-1 The Xfce4 desktop environment pane
Versions of packages thunar suggests:
ii thunar-archive-plugin 0.2.4-5 Archive plugin for Thunar file man
ii thunar-media-tags-plugin 0.1.2-2 Media tags plugin for Thunar file
-- no debconf information
More information about the Pkg-xfce-devel
mailing list