Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20260524130805.5ff3783d@riseup.net>
Date: Sun, 24 May 2026 13:08:05 -0400
From: Aaron Rainbolt <arraybolt3@...eup.net>
To: oss-security@...ts.openwall.com
Subject: Re: PCManFM-Qt allows arbitrary files to be opened via the
 org.freedesktop.FileManager1.ShowFolders method

On Tue, 19 May 2026 20:33:45 -0400
Aaron Rainbolt <arraybolt3@...eup.net> wrote:

> This issue was mentioned in the "On the issue of MIME handlers that
> execute arbitrary code" thread [1], and was brought up three years ago
> in a report about a vulnerability in Mono [2], but it looks like no
> one requested a CVE ID for it, so this is a targeted report so I have
> something self-contained to link to.
> 
> PCManFM-Qt implements the standard org.freedesktop.FileManager1 D-Bus
> interface [3]. The interface specification states that the
> org.freedesktop.FileManager1.ShowFolders function "assumes that the
> specified URIs are folders; the file manager is supposed to show a
> window with the contents of each folder." I believe the spec meant to
> say that this method only takes URIs pointing to folders as arguments,
> but PCManFM-Qt interprets the word "assumes" literally and hands the
> URIs to a routine that does a MIME handler lookup and launch. If all
> of the specified URIs actually *do* point to directories, this will do
> what the user expects, but if any of the URIs point to files, those
> files will be opened. This can be used for a number of different
> malicious purposes; most notably, if the user is unlucky enough to
> have Wine installed using WineHQ's upstream packages, it allows
> escaping various sandboxing mechanisms (Flatpak, Snap, etc.) by
> dropping an EXE file on the disk and then pointing PCManFM-Qt to it.
> (This is because WineHQ's builds of Wine ship a MIME handler for EXE
> files. That handler runs EXE files blindly.)

CVE-2026-48700 has been assigned to this issue. [1]

--
Aaron

[1] https://www.cve.org/CVERecord?id=CVE-2026-48700

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.