Bug 1491425

Summary: .desktop files can hide malware in Nautilus
Product: Red Hat Enterprise Linux 7 Reporter: Phil Wyett <philip.wyett>
Component: nautilusAssignee: Carlos Soriano <csoriano>
Status: CLOSED CURRENTRELEASE QA Contact: Desktop QE <desktop-qa-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: cosimo.cecchi, extras-qa, jbicha, jkoten, mclasen, micah, philip.wyett, tpelka
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nautilus-3.22.3-4.el7_4 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1442231 Environment:
Last Closed: 2018-07-16 10:24:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Phil Wyett 2017-09-13 18:53:13 UTC 
+++ This bug was initially created as a clone of Bug #1442231 +++

Description of problem:

There is a bug in Nautilus that makes it possible to disguise a malicious script as an innocent document, like a PDF or ODT, that gets executed when the user opens it.

The upstream nautilus issue [1] has already been resolved, and will be released in nautilus 3.24. But since this is an important security issue, I think this patch should be backported so that it's fixed in older versions of Fedora.

See this blog post [2] for more about how this bug allows attackers to compromise Subgraph OS. Fedora is vulnerable to the same type of attack.

[1] https://bugzilla.gnome.org/show_bug.cgi?id=777991
[2] https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/


Steps to Reproduce:

Make a file called malware.desktop that has this content:

[Desktop Entry]
Encoding=UTF-8
Name=resume.odt
Exec=gnome-calculator
Terminal=false
Type=Application
Icon=libreoffice-writer.png

Now make malware.desktop executable (chmod 755 malware.desktop). If you open nautilus and browse to the folder that this document is in, it looks like there's a LibreOffice document called "resume.odt". But when you double-click on it, it runs the attackers code. In this case, it opens the calculator.

--- Additional comment from Jan Kurik on 2017-08-15 02:55:11 EDT ---

This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 2 Phil Wyett 2018-07-16 08:54:41 UTC 
This bug can be closed as fixed errata.