On Mon, Jun 18, 2018 at 02:17:43PM +0100, Tomasz Kłoczko wrote: > For example in case of have /usr/local/bin/id you can observe that > gnome-terminal started from command line and GUI menu are altere. > In other words this effect is literally spreads as well across most of > the /usr/share/application/*desktop files (just grep those files for > ^Exec=). > Using in Exec= only binary name instead full path would be nothing bad > .. however this mixed with currently used $PATH really changes > everything!
No, it does not change everything as attackers can also just copy desktop files with other Exec-Keys to /home/till/.local/share/applications, for example like this: sed -e s,Exec=.*,Exec=xmessage\ pwned, /usr/share/applications/firefox.desktop > ~/.local/share/applications/firefox.desktop There is no need to drop something in the path to manipulate desktop files/the applications that are started (I verified this with Gnome on Fedora 28). Please stop with these false claims. Kind regards Till _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/4IT3C2JTRLTNI74UJYWXMTPY5QZNOZJT/
