Bug 1442231

Summary: .desktop files can hide malware in Nautilus
Product: [Fedora] Fedora Reporter: micah
Component: nautilusAssignee: Matthias Clasen <mclasen>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: cbuissar, cosimo.cecchi, mclasen, philip.wyett
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1491425 (view as bug list) Environment:
Last Closed: 2018-07-16 11:10:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description micah 2017-04-13 20:03:00 UTC 
Description of problem:

There is a bug in Nautilus that makes it possible to disguise a malicious script as an innocent document, like a PDF or ODT, that gets executed when the user opens it.

The upstream nautilus issue [1] has already been resolved, and will be released in nautilus 3.24. But since this is an important security issue, I think this patch should be backported so that it's fixed in older versions of Fedora.

See this blog post [2] for more about how this bug allows attackers to compromise Subgraph OS. Fedora is vulnerable to the same type of attack.

[1] https://bugzilla.gnome.org/show_bug.cgi?id=777991
[2] https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/


Steps to Reproduce:

Make a file called malware.desktop that has this content:

[Desktop Entry]
Encoding=UTF-8
Name=resume.odt
Exec=gnome-calculator
Terminal=false
Type=Application
Icon=libreoffice-writer.png

Now make malware.desktop executable (chmod 755 malware.desktop). If you open nautilus and browse to the folder that this document is in, it looks like there's a LibreOffice document called "resume.odt". But when you double-click on it, it runs the attackers code. In this case, it opens the calculator.
Comment 1 Jan Kurik 2017-08-15 06:55:11 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 2 Cedric Buissart 2017-09-18 07:56:21 UTC 
I believe that only fedora 25 (and older) is impacted. The issue was fixed in upstream nautilus 3.24.0, and F26 currently ships nautilus-3.24.2.1-1.fc26

There is another tracker for F25: 
https://bugzilla.redhat.com/show_bug.cgi?id=1490873
Comment 3 Phil Wyett 2018-07-16 08:56:37 UTC 
This bug has been fixed and only affected version EOL releases. This bug can be closed.
Comment 4 Cedric Buissart 2018-07-16 11:10:43 UTC 
Closing 'Current release' as per comments 2 and 3. Feel free to change if it wasn't the preferred resolution.