>From what I understand, 1) autorun.inf files can be written to automatically execute a program. However, they still need to get user approval through a "Do you trust this program?" kind of message. 2) According to upstream comment, "By setting PCRE_NO_UTF8_CHECK you are guaranteeing that the string is a valid UTF-8 string. If you break your promise, anything might happen.". Some people have already exploited similar bugs to execute an arbitrary payload ( https://googleprojectzero.blogspot.com/2015/02/exploitingscve-2015-0318sinsflash.html ).
At worse, I think the bug could be exploited to create a malicious USB/SD Card/Filesystem image to execute arbitrary code without user approval when mounted. It could also be used to run code with gvfs privileges. Not sure if that qualifies as a security issue. The bug does not happen when no user is authenticated (locked screen), so it cannot be used to bypass a login screen. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gvfs in Ubuntu. https://bugs.launchpad.net/bugs/1798725 Title: gvfs may crash when parsing non-valid UTF8 in autorun.inf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gvfs/+bug/1798725/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs