Date: Thu, 05 Oct 2017 22:37:46 +0200 From: Yves-Alexis Perez <corsac@...ian.org> To: oss-security@...ts.openwall.com Subject: [CVE-2017-14604] .desktop vulnerability again Hi list, I'm currently in the process of uploading a nautilus package fixing CVE-2017- 14604 which is again a vulnerability in the handling of desktop file. As I don't think it's been discussed here, it might be a good idea to do a wrap-up, and maybe start a discussion if people are interested and have good ideas. There was some publicity on this at beginning of the year with a blog post using that vulnerability in order to break out of SubGraph OS (https://micahfl ee.com/2017/04/breaking-the-security-model-of-subgraph-os/) Last time we had a vulnerability related to the handling of .desktop file, it was handled by refusing to run it unless it has the executable bit. Unfortunately, this permission bit is maintained when storing inside a tarball, for example, so if an attacker wraps an executable .desktop file posing (for example) as a PDF inside a tarball, a victim could extract the file and double click on the PDF and the system will happily execute the command inside the Exec= field of the .desktop file. Some bugs were opened against various file managers: Nautilus (GNOME): https://bugzilla.gnome.org/show_bug.cgi?id=777991 Caja (Mate): https://github.com/mate-desktop/caja/issues/727 Nemo (Cinnamon): https://github.com/linuxmint/nemo/issues/1404 PCManFM (LXDE): https://github.com/lxde/pcmanfm-qt/issues/449 Thunar (Xfce): https://bugzilla.xfce.org/show_bug.cgi?id=13329 I'm not sure if a bug was opened against others, like KDE's Dolphin. As far as I understand it only Nautilus got a CVE. If we consider it a vulnerability I guess every file manager should get a CVE, but I'm interested in other opinions on this. Scanning through the various bugs, not everyone agree on how to fix this: - Nautilus doesn't use the executable bit anymore but store a trusted attribute in a gio/gvfs metadata, which is stored on the filesystem in XDG_DATA_DIR/.gvfs-metada (usually ~/.local/share/gvfs-metadata) which I guess should not be reachable from a tarball unless the extraction process has a directory traversal vulnerability - there's PR on Nemo to basically do the same thing - PCManFM now treats .desktop file like it apparently treats executable, and always request explicit user permission before running it - Thunar and Cara are not yet fixed. Obviously there's a usability vs. security tradeoff here and I'm unsure if there's a good solution. For now I'll just push the Debian updates for Nautilus and keep an eye on this. Regards, -- Yves-Alexis [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ