Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 05 Oct 2017 22:37:46 +0200
From: Yves-Alexis Perez <corsac@...ian.org>
To: oss-security@...ts.openwall.com
Subject: [CVE-2017-14604] .desktop vulnerability again

Hi list,

I'm currently in the process of uploading a nautilus package fixing CVE-2017-
14604 which is again a vulnerability in the handling of desktop file. As I
don't think it's been discussed here, it might be a good idea to do a wrap-up, 
and maybe start a discussion if people are interested and have good ideas.

There was some publicity on this at beginning of the year with a blog post
using that vulnerability in order to break out of SubGraph OS (https://micahfl
ee.com/2017/04/breaking-the-security-model-of-subgraph-os/)

Last time we had a vulnerability related to the handling of .desktop file, it
was handled by refusing to run it unless it has the executable bit.
Unfortunately, this permission bit is maintained when storing inside a
tarball, for example, so if an attacker wraps an executable .desktop file
posing (for example) as a PDF inside a tarball, a victim could extract the
file and double click on the PDF and the system will happily execute the
command inside the Exec= field of the .desktop file.

Some bugs were opened against various file managers:

Nautilus (GNOME): https://bugzilla.gnome.org/show_bug.cgi?id=777991
Caja (Mate): https://github.com/mate-desktop/caja/issues/727
Nemo (Cinnamon): https://github.com/linuxmint/nemo/issues/1404
PCManFM (LXDE): https://github.com/lxde/pcmanfm-qt/issues/449
Thunar (Xfce): https://bugzilla.xfce.org/show_bug.cgi?id=13329

I'm not sure if a bug was opened against others, like KDE's Dolphin.

As far as I understand it only Nautilus got a CVE. If we consider it a
vulnerability I guess every file manager should get a CVE, but I'm interested
in other opinions on this.

Scanning through the various bugs, not everyone agree on how to fix this:

- Nautilus doesn't use the executable bit anymore but store a trusted
attribute in a gio/gvfs metadata, which is stored on the filesystem in
XDG_DATA_DIR/.gvfs-metada (usually ~/.local/share/gvfs-metadata) which I guess
should not be reachable from a tarball unless the extraction process has a
directory traversal vulnerability
- there's PR on Nemo to basically do the same thing
- PCManFM now treats .desktop file like it apparently treats executable, and
always request explicit user permission before running it
- Thunar and Cara are not yet fixed.

Obviously there's a usability vs. security tradeoff here and I'm unsure if
there's a good solution. For now I'll just push the Debian updates for
Nautilus and keep an eye on this.

Regards,
-- 
Yves-Alexis
Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.