Nautilus trusts desktop files that have the executable bit set, and doesn't replace the displayed icon or the displayed name until it's trusted, which prevents from running random programs by a malicious desktop file. However, the executable permission is preserved if the desktop file comes from a compressed file. A maliciously crafted file opened by the user could result in code execution. Upstream issue: https://bugzilla.gnome.org/show_bug.cgi?id=777991 Upstream patch: https://bugzilla.gnome.org/attachment.cgi?id=345047&action=diff
Created nautilus tracking bugs for this issue: Affects: fedora-25 [bug 1490873]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:0223 https://access.redhat.com/errata/RHSA-2018:0223