Red Hat Bugzilla – Bug 1490872
CVE-2017-14604 nautilus: Insufficient validation of trust of .desktop files with execute permission
Last modified: 2018-02-12 06:27:42 EST
Nautilus trusts desktop files that have the executable bit set, and doesn't replace the displayed icon or the displayed name until it's trusted, which prevents from running random programs by a malicious desktop file.
However, the executable permission is preserved if the desktop file comes from a compressed file. A maliciously crafted file opened by the user could result in code execution.
Created nautilus tracking bugs for this issue:
Affects: fedora-25 [bug 1490873]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2018:0223 https://access.redhat.com/errata/RHSA-2018:0223