Description of problem: There is a bug in Nautilus that makes it possible to disguise a malicious script as an innocent document, like a PDF or ODT, that gets executed when the user opens it. The upstream nautilus issue [1] has already been resolved, and will be released in nautilus 3.24. But since this is an important security issue, I think this patch should be backported so that it's fixed in older versions of Fedora. See this blog post [2] for more about how this bug allows attackers to compromise Subgraph OS. Fedora is vulnerable to the same type of attack. [1] https://bugzilla.gnome.org/show_bug.cgi?id=777991 [2] https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/ Steps to Reproduce: Make a file called malware.desktop that has this content: [Desktop Entry] Encoding=UTF-8 Name=resume.odt Exec=gnome-calculator Terminal=false Type=Application Icon=libreoffice-writer.png Now make malware.desktop executable (chmod 755 malware.desktop). If you open nautilus and browse to the folder that this document is in, it looks like there's a LibreOffice document called "resume.odt". But when you double-click on it, it runs the attackers code. In this case, it opens the calculator.
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'.
I believe that only fedora 25 (and older) is impacted. The issue was fixed in upstream nautilus 3.24.0, and F26 currently ships nautilus-3.24.2.1-1.fc26 There is another tracker for F25: https://bugzilla.redhat.com/show_bug.cgi?id=1490873
This bug has been fixed and only affected version EOL releases. This bug can be closed.
Closing 'Current release' as per comments 2 and 3. Feel free to change if it wasn't the preferred resolution.