Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 05 Oct 2017 22:37:46 +0200
From: Yves-Alexis Perez <corsac@...ian.org>
To: oss-security@...ts.openwall.com
Subject: [CVE-2017-14604] .desktop vulnerability again

Hi list,

I'm currently in the process of uploading a nautilus package fixing CVE-2017-
14604 which is again a vulnerability in the handling of desktop file. As I
don't think it's been discussed here, it might be a good idea to do a wrap-up, 
and maybe start a discussion if people are interested and have good ideas.

There was some publicity on this at beginning of the year with a blog post
using that vulnerability in order to break out of SubGraph OS (https://micahfl
ee.com/2017/04/breaking-the-security-model-of-subgraph-os/)

Last time we had a vulnerability related to the handling of .desktop file, it
was handled by refusing to run it unless it has the executable bit.
Unfortunately, this permission bit is maintained when storing inside a
tarball, for example, so if an attacker wraps an executable .desktop file
posing (for example) as a PDF inside a tarball, a victim could extract the
file and double click on the PDF and the system will happily execute the
command inside the Exec= field of the .desktop file.

Some bugs were opened against various file managers:

Nautilus (GNOME): https://bugzilla.gnome.org/show_bug.cgi?id=777991
Caja (Mate): https://github.com/mate-desktop/caja/issues/727
Nemo (Cinnamon): https://github.com/linuxmint/nemo/issues/1404
PCManFM (LXDE): https://github.com/lxde/pcmanfm-qt/issues/449
Thunar (Xfce): https://bugzilla.xfce.org/show_bug.cgi?id=13329

I'm not sure if a bug was opened against others, like KDE's Dolphin.

As far as I understand it only Nautilus got a CVE. If we consider it a
vulnerability I guess every file manager should get a CVE, but I'm interested
in other opinions on this.

Scanning through the various bugs, not everyone agree on how to fix this:

- Nautilus doesn't use the executable bit anymore but store a trusted
attribute in a gio/gvfs metadata, which is stored on the filesystem in
XDG_DATA_DIR/.gvfs-metada (usually ~/.local/share/gvfs-metadata) which I guess
should not be reachable from a tarball unless the extraction process has a
directory traversal vulnerability
- there's PR on Nemo to basically do the same thing
- PCManFM now treats .desktop file like it apparently treats executable, and
always request explicit user permission before running it
- Thunar and Cara are not yet fixed.

Obviously there's a usability vs. security tradeoff here and I'm unsure if
there's a good solution. For now I'll just push the Debian updates for
Nautilus and keep an eye on this.

Regards,
-- 
Yves-Alexis
[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ