Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1491425 - .desktop files can hide malware in Nautilus
Summary: .desktop files can hide malware in Nautilus
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nautilus
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Carlos Soriano
QA Contact: Desktop QE
Depends On:
TreeView+ depends on / blocked
Reported: 2017-09-13 18:53 UTC by Phil Wyett
Modified: 2018-07-16 10:24 UTC (History)
8 users (show)

Fixed In Version: nautilus-3.22.3-4.el7_4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1442231
Last Closed: 2018-07-16 10:24:10 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
GNOME Bugzilla 777991 0 None None None 2017-09-13 18:53:12 UTC

Description Phil Wyett 2017-09-13 18:53:13 UTC
+++ This bug was initially created as a clone of Bug #1442231 +++

Description of problem:

There is a bug in Nautilus that makes it possible to disguise a malicious script as an innocent document, like a PDF or ODT, that gets executed when the user opens it.

The upstream nautilus issue [1] has already been resolved, and will be released in nautilus 3.24. But since this is an important security issue, I think this patch should be backported so that it's fixed in older versions of Fedora.

See this blog post [2] for more about how this bug allows attackers to compromise Subgraph OS. Fedora is vulnerable to the same type of attack.

[1] https://bugzilla.gnome.org/show_bug.cgi?id=777991
[2] https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/

Steps to Reproduce:

Make a file called malware.desktop that has this content:

[Desktop Entry]

Now make malware.desktop executable (chmod 755 malware.desktop). If you open nautilus and browse to the folder that this document is in, it looks like there's a LibreOffice document called "resume.odt". But when you double-click on it, it runs the attackers code. In this case, it opens the calculator.

--- Additional comment from Jan Kurik on 2017-08-15 02:55:11 EDT ---

This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.

Comment 2 Phil Wyett 2018-07-16 08:54:41 UTC
This bug can be closed as fixed errata.

Note You need to log in before you can comment on or make changes to this bug.