Bug#860268: [Fwd: Re: Bug#860268: .desktop files can hide malware in Nautilus]
On Wed, Oct 11, 2017 at 2:34 PM, Phil Wyettwrote: > I have looked at both 'jessie' and 'wheezy'. Both are not affected by this > specific issue and have mechanism(s) like stretch (with update) and newer > versions of nautilus that display and require input when confronted with > certain > file types. nautilus 3.22 introduced integrated (almost silent) tarball decompression support which makes the test case for this vulnerability a lot simpler. Thanks, Jeremy Bicha
Bug#860268: [Fwd: Re: Bug#860268: .desktop files can hide malware in Nautilus]
On Sat, 2017-10-07 at 21:06 +0200, Yves-Alexis Perez wrote: > On Thu, 2017-10-05 at 21:42 +0200, Yves-Alexis Perez wrote: > > On Sat, 2017-09-23 at 01:38 +0100, Phil Wyett wrote: > > > Hi Security Team, > > > > > > > > Please accept the attached 'nautilus' debdiff for stretch-security. > > > > > > > > Info: > > > > > > > > The debdiff is a backport of the fix from upstream[1] and includes > > > > translations > > > > for the UI changes. > > > > > > > > [1]: https://github.com/GNOME/nautilus/commit/1630f53481f445ada0a455e997 > > > > 9236d3 > > > > 1a > > > > 8d3bb0 > > > > Hi Phil, > > > > the debdiff looks good, but please use +deb9u1 as suffix for the version > > number. You may then proceed with the upload to security-master. > > > > Note that since it's the first nautilus security upload to stretch it needs > > to > > be build with -sa. > > > > You can safely upload a source-only upload, but you need to remove the > > .buildinfo from the changes file before uploading. > > I'll take care of the upload. Do you intend to backport the patches to Jessie? > > Regards, Hi, I will look at it. But, I just know it will be a nightmare if possible at all. I shall add info to the bug report probably mod next week. Regards Phil -- *** If this is a mailing list, I am subscribed, no need to CC me.*** Playing the game for the games sake. Web: https://kathenas.org GitLab: https://gitlab.com/kathenas Twitter: kathenasorg Instagram: kathenasorg GPG: 1B97 6556 913F 73F3 9C9B 25C4 2961 D9B6 2017 A57A signature.asc Description: This is a digitally signed message part
Bug#860268: [Fwd: Re: Bug#860268: .desktop files can hide malware in Nautilus]
On Thu, 2017-10-05 at 21:42 +0200, Yves-Alexis Perez wrote: > On Sat, 2017-09-23 at 01:38 +0100, Phil Wyett wrote: > > Hi Security Team, > > > > > > Please accept the attached 'nautilus' debdiff for stretch-security. > > > > > > Info: > > > > > > The debdiff is a backport of the fix from upstream[1] and includes > > > translations > > > for the UI changes. > > > > > > [1]: https://github.com/GNOME/nautilus/commit/1630f53481f445ada0a455e997 > > > 9236d3 > > > 1a > > > 8d3bb0 > > Hi Phil, > > the debdiff looks good, but please use +deb9u1 as suffix for the version > number. You may then proceed with the upload to security-master. > > Note that since it's the first nautilus security upload to stretch it needs > to > be build with -sa. > > You can safely upload a source-only upload, but you need to remove the > .buildinfo from the changes file before uploading. I'll take care of the upload. Do you intend to backport the patches to Jessie? Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Bug#860268: [Fwd: Re: Bug#860268: .desktop files can hide malware in Nautilus]
On Sat, 2017-09-23 at 01:38 +0100, Phil Wyett wrote: > Hi Security Team, > > > > Please accept the attached 'nautilus' debdiff for stretch-security. > > > > Info: > > > > The debdiff is a backport of the fix from upstream[1] and includes > > translations > > for the UI changes. > > > > [1]: > > https://github.com/GNOME/nautilus/commit/1630f53481f445ada0a455e9979236d3 > > 1a > > 8d3bb0 Hi Phil, the debdiff looks good, but please use +deb9u1 as suffix for the version number. You may then proceed with the upload to security-master. Note that since it's the first nautilus security upload to stretch it needs to be build with -sa. You can safely upload a source-only upload, but you need to remove the .buildinfo from the changes file before uploading. Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Bug#860268: .desktop files can hide malware in Nautilus
On Sat, 2017-09-23 at 01:37 +0100, Phil Wyett wrote: > On Sat, 2017-09-23 at 01:36 +0100, Phil Wyett wrote: > > On Fri, 2017-09-22 at 17:19 -0400, Jeremy Bicha wrote: > > > I asked on IRC about this so feel free to send the email, Phil or Donncha: > > > > > > jbicha | carnil: are you going to sponsor #860268 as a security update? > > > jmm_ | jbicha: yeah, we can fix that via security.debian.org, please > > > send a mail to t...@security.debian.org, only a few of us are on IRC > > > > > > > > > Thanks, > > > Jeremy Bicha > > > > Hi Security Team, > > > > Please accept the attached 'nautilus' debdiff for stretch-security. > > > > Info: > > > > The debdiff is a backport of the fix from upstream[1] and includes > > translations > > for the UI changes. > > > > [1]: https://github.com/GNOME/nautilus/commit/1630f53481f445ada0a455e9979236 > > d3 > > 1a > > 8d3bb0 > > > > Related debian bug: > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860268 > > > > Related upstream bug: > > > > https://bugzilla.gnome.org/show_bug.cgi?id=777991 > > > > Related CVE: > > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14604 > > > > Debian security tracker: > > > > https://security-tracker.debian.org/tracker/CVE-2017-14604 > > > > Regards > > > > Phil > > > > Oops... Massive sleep derived error. debdiff has been forwarded to security team on another email that did not have a massive recipient list and had them on it. Apologies for the error. Regards Phil -- *** If this is a mailing list, I am subscribed, no need to CC me.*** Playing the game for the games sake. Web: https://kathenas.org GitLab: https://gitlab.com/kathenas Twitter: kathenasorg Instagram: kathenasorg GPG: 1B97 6556 913F 73F3 9C9B 25C4 2961 D9B6 2017 A57A signature.asc Description: This is a digitally signed message part
Bug#860268: .desktop files can hide malware in Nautilus
On Sat, 2017-09-23 at 01:36 +0100, Phil Wyett wrote: > On Fri, 2017-09-22 at 17:19 -0400, Jeremy Bicha wrote: > > I asked on IRC about this so feel free to send the email, Phil or Donncha: > > > > jbicha | carnil: are you going to sponsor #860268 as a security update? > > jmm_ | jbicha: yeah, we can fix that via security.debian.org, please > > send a mail to t...@security.debian.org, only a few of us are on IRC > > > > > > Thanks, > > Jeremy Bicha > > Hi Security Team, > > Please accept the attached 'nautilus' debdiff for stretch-security. > > Info: > > The debdiff is a backport of the fix from upstream[1] and includes > translations > for the UI changes. > > [1]: https://github.com/GNOME/nautilus/commit/1630f53481f445ada0a455e9979236d3 > 1a > 8d3bb0 > > Related debian bug: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860268 > > Related upstream bug: > > https://bugzilla.gnome.org/show_bug.cgi?id=777991 > > Related CVE: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14604 > > Debian security tracker: > > https://security-tracker.debian.org/tracker/CVE-2017-14604 > > Regards > > Phil > -- *** If this is a mailing list, I am subscribed, no need to CC me.*** Playing the game for the games sake. Web: https://kathenas.org GitLab: https://gitlab.com/kathenas Twitter: kathenasorg Instagram: kathenasorg GPG: 1B97 6556 913F 73F3 9C9B 25C4 2961 D9B6 2017 A57A signature.asc Description: This is a digitally signed message part
Bug#860268: .desktop files can hide malware in Nautilus
On Fri, 2017-09-22 at 17:19 -0400, Jeremy Bicha wrote: > I asked on IRC about this so feel free to send the email, Phil or Donncha: > > jbicha | carnil: are you going to sponsor #860268 as a security update? > jmm_ | jbicha: yeah, we can fix that via security.debian.org, please > send a mail to t...@security.debian.org, only a few of us are on IRC > > > Thanks, > Jeremy Bicha Hi Security Team, Please accept the attached 'nautilus' debdiff for stretch-security. Info: The debdiff is a backport of the fix from upstream[1] and includes translations for the UI changes. [1]: https://github.com/GNOME/nautilus/commit/1630f53481f445ada0a455e9979236d31a 8d3bb0 Related debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860268 Related upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=777991 Related CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14604 Debian security tracker: https://security-tracker.debian.org/tracker/CVE-2017-14604 Regards Phil -- *** If this is a mailing list, I am subscribed, no need to CC me.*** Playing the game for the games sake. Web: https://kathenas.org GitLab: https://gitlab.com/kathenas Twitter: kathenasorg Instagram: kathenasorg GPG: 1B97 6556 913F 73F3 9C9B 25C4 2961 D9B6 2017 A57Adiff -Nru nautilus-3.22.3/debian/changelog nautilus-3.22.3/debian/changelog --- nautilus-3.22.3/debian/changelog 2017-03-09 02:39:58.0 +0100 +++ nautilus-3.22.3/debian/changelog 2017-09-13 22:22:40.0 +0200 @@ -1,3 +1,15 @@ +nautilus (3.22.3-1+deb9u1) stretch-security; urgency=high + + * CVE-2017-14604: desktop_file_trust.patch ++ Spoof a file type by using the .desktop file extension, as demonstrated + by an attack in which a .desktop file's Name field ends in .pdf but + this file's Exec field launches a malicious "sh -c" command. + (Closes: #860268). + - Initial patch by Phil Wyett+ - Translations additions by Donncha O'Cearbhaill + + -- Phil Wyett Fri, 01 Sep 2017 23:43:51 +0100 + nautilus (3.22.3-1) unstable; urgency=medium * New upstream release. diff -Nru nautilus-3.22.3/debian/control nautilus-3.22.3/debian/control --- nautilus-3.22.3/debian/control 2017-03-09 02:39:58.0 +0100 +++ nautilus-3.22.3/debian/control 2017-09-20 17:58:00.0 +0200 @@ -31,7 +31,8 @@ gobject-introspection (>= 0.9.12-4~), libgirepository1.0-dev (>= 0.10.7-1~), libglib2.0-doc, - libgtk-3-doc + libgtk-3-doc, + gettext Homepage: https://wiki.gnome.org/action/show/Apps/Nautilus Vcs-Browser: https://anonscm.debian.org/viewvc/pkg-gnome/desktop/unstable/nautilus/ Vcs-Svn: svn://anonscm.debian.org/pkg-gnome/desktop/unstable/nautilus/ diff -Nru nautilus-3.22.3/debian/control.in nautilus-3.22.3/debian/control.in --- nautilus-3.22.3/debian/control.in 2016-12-10 02:59:53.0 +0100 +++ nautilus-3.22.3/debian/control.in 2017-09-20 14:52:48.0 +0200 @@ -27,7 +27,8 @@ gobject-introspection (>= 0.9.12-4~), libgirepository1.0-dev (>= 0.10.7-1~), libglib2.0-doc, - libgtk-3-doc + libgtk-3-doc, + gettext Homepage: https://wiki.gnome.org/action/show/Apps/Nautilus Vcs-Browser: https://anonscm.debian.org/viewvc/pkg-gnome/desktop/unstable/nautilus/ Vcs-Svn: svn://anonscm.debian.org/pkg-gnome/desktop/unstable/nautilus/ diff -Nru nautilus-3.22.3/debian/patches/desktop_file_trust.patch nautilus-3.22.3/debian/patches/desktop_file_trust.patch --- nautilus-3.22.3/debian/patches/desktop_file_trust.patch 1970-01-01 01:00:00.0 +0100 +++ nautilus-3.22.3/debian/patches/desktop_file_trust.patch 2017-09-14 15:26:27.0 +0200 @@ -0,0 +1,946 @@ +From 1630f53481f445ada0a455e9979236d31a8d3bb0 Mon Sep 17 00:00:00 2001 +From: Carlos Soriano +Date: Mon, 6 Feb 2017 18:47:54 +0100 +Subject: mime-actions: use file metadata for trusting desktop files + +Currently we only trust desktop files that have the executable bit +set, and don't replace the displayed icon or the displayed name until +it's trusted, which prevents for running random programs by a malicious +desktop file. + +However, the executable permission is preserved if the desktop file +comes from a compressed file. + +To prevent this, add a metadata::trusted metadata to the file once the +user acknowledges the file as trusted. This adds metadata to the file, +which cannot be added unless it has access to the computer. + +Also remove the SHEBANG "trusted" content we were putting inside the +desktop file, since that doesn't add more security since it can come +with the file itself. + +https://bugzilla.gnome.org/show_bug.cgi?id=777991 + +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860268 + . + nautilus (3.22.3-1.1) stretch; urgency=high + . + * CVE-2017-14604: desktop_file_trust.patch ++
Bug#860268: .desktop files can hide malware in Nautilus
I asked on IRC about this so feel free to send the email, Phil or Donncha: jbicha | carnil: are you going to sponsor #860268 as a security update? jmm_ | jbicha: yeah, we can fix that via security.debian.org, please send a mail to t...@security.debian.org, only a few of us are on IRC Thanks, Jeremy Bicha
Bug#860268: .desktop files can hide malware in Nautilus
Hi, Now that the CVE (CVE-2017-14604) has been issued and this would (well, if it ever does) pass into debian as a security update. I have updated the debdiff accordingly. See attached. Link to CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14604 If any tweaks need to be made. Please let me know via this bug report. If anyone has issues running with this patch applied. Please be sure to add information to this bug report. Regards Phil -- *** If this is a mailing list, I am subscribed, no need to CC me.*** Playing the game for the games sake. Web: https://kathenas.org GitLab: https://gitlab.com/kathenas Twitter: kathenasorg Instagram: kathenasorg GPG: 1B97 6556 913F 73F3 9C9B 25C4 2961 D9B6 2017 A57Adiff -Nru nautilus-3.22.3/debian/changelog nautilus-3.22.3/debian/changelog --- nautilus-3.22.3/debian/changelog 2017-03-09 02:39:58.0 +0100 +++ nautilus-3.22.3/debian/changelog 2017-09-13 22:22:40.0 +0200 @@ -1,3 +1,15 @@ +nautilus (3.22.3-1+deb9u1) stretch-security; urgency=high + + * CVE-2017-14604: desktop_file_trust.patch ++ Spoof a file type by using the .desktop file extension, as demonstrated + by an attack in which a .desktop file's Name field ends in .pdf but + this file's Exec field launches a malicious "sh -c" command. + (Closes: #860268). + - Initial patch by Phil Wyett+ - Translations additions by Donncha O'Cearbhaill + + -- Phil Wyett Fri, 01 Sep 2017 23:43:51 +0100 + nautilus (3.22.3-1) unstable; urgency=medium * New upstream release. diff -Nru nautilus-3.22.3/debian/control nautilus-3.22.3/debian/control --- nautilus-3.22.3/debian/control 2017-03-09 02:39:58.0 +0100 +++ nautilus-3.22.3/debian/control 2017-09-20 17:58:00.0 +0200 @@ -31,7 +31,8 @@ gobject-introspection (>= 0.9.12-4~), libgirepository1.0-dev (>= 0.10.7-1~), libglib2.0-doc, - libgtk-3-doc + libgtk-3-doc, + gettext Homepage: https://wiki.gnome.org/action/show/Apps/Nautilus Vcs-Browser: https://anonscm.debian.org/viewvc/pkg-gnome/desktop/unstable/nautilus/ Vcs-Svn: svn://anonscm.debian.org/pkg-gnome/desktop/unstable/nautilus/ diff -Nru nautilus-3.22.3/debian/control.in nautilus-3.22.3/debian/control.in --- nautilus-3.22.3/debian/control.in 2016-12-10 02:59:53.0 +0100 +++ nautilus-3.22.3/debian/control.in 2017-09-20 14:52:48.0 +0200 @@ -27,7 +27,8 @@ gobject-introspection (>= 0.9.12-4~), libgirepository1.0-dev (>= 0.10.7-1~), libglib2.0-doc, - libgtk-3-doc + libgtk-3-doc, + gettext Homepage: https://wiki.gnome.org/action/show/Apps/Nautilus Vcs-Browser: https://anonscm.debian.org/viewvc/pkg-gnome/desktop/unstable/nautilus/ Vcs-Svn: svn://anonscm.debian.org/pkg-gnome/desktop/unstable/nautilus/ diff -Nru nautilus-3.22.3/debian/patches/desktop_file_trust.patch nautilus-3.22.3/debian/patches/desktop_file_trust.patch --- nautilus-3.22.3/debian/patches/desktop_file_trust.patch 1970-01-01 01:00:00.0 +0100 +++ nautilus-3.22.3/debian/patches/desktop_file_trust.patch 2017-09-14 15:26:27.0 +0200 @@ -0,0 +1,946 @@ +From 1630f53481f445ada0a455e9979236d31a8d3bb0 Mon Sep 17 00:00:00 2001 +From: Carlos Soriano +Date: Mon, 6 Feb 2017 18:47:54 +0100 +Subject: mime-actions: use file metadata for trusting desktop files + +Currently we only trust desktop files that have the executable bit +set, and don't replace the displayed icon or the displayed name until +it's trusted, which prevents for running random programs by a malicious +desktop file. + +However, the executable permission is preserved if the desktop file +comes from a compressed file. + +To prevent this, add a metadata::trusted metadata to the file once the +user acknowledges the file as trusted. This adds metadata to the file, +which cannot be added unless it has access to the computer. + +Also remove the SHEBANG "trusted" content we were putting inside the +desktop file, since that doesn't add more security since it can come +with the file itself. + +https://bugzilla.gnome.org/show_bug.cgi?id=777991 + +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860268 + . + nautilus (3.22.3-1.1) stretch; urgency=high + . + * CVE-2017-14604: desktop_file_trust.patch ++ Spoof a file type by using the .desktop file extension, as demonstrated + by an attack in which a .desktop file's Name field ends in .pdf but + this file's Exec field launches a malicious "sh -c" command. + (Closes: #860268). + - Initial patch by Phil Wyett + - Translations additions by Donncha O'Cearbhaill +Author: Phil Wyett +--- + +--- a/src/nautilus-directory-async.c b/src/nautilus-directory-async.c +@@ -30,6 +30,7 @@ + #include
Bug#860268: .desktop files can hide malware in Nautilus
On Wed, 2017-09-20 at 17:30 +, Donncha O'Cearbhaill wrote: > Phil Wyett: > > On Wed, 2017-09-13 at 15:32 +, Donncha O'Cearbhaill wrote: > > > Phil Wyett: > > > > > > > > > > Hi, > > > > > > > > > > Please note that the debdiff I provided was essentially a raw backport > > > > > for > > > > > testing and I thought it may have issues. It was never meant as a > > > > > 'here it > > > > > is, > > > > > all done' patch ready for submission as a stable update. > > > > > > > > > > I am a little busy at the moment, but if I can help here, I will. > > > > > > > I have created a backport patch targeting Nautilus 3.22.3 which contains > the cherry-picked translations for the new UI string. > > It adds a line to the debian/control file to remove the pre-built .mo > translation files which were included in the upstream source release. I > also needed to add gettext as a build dependency. With this patch the > .mo/.gmo files should be rebuilt with the new strings during the Debian > package build. > > I have tested the backported Nautlius package with Tails 3.1 which is > based on Debian stable. The English and localised interface is displayed > correctly. > > Ideally this backport would be ready for Tails 3.2 which is schedule to > be released early next week. > > Please let me know if I need to make any further changes. > > Regards, > Donncha Hi, Sorry, been busy, so not had chance to get back to this. Tested on English, German and French and all Ok. Attached is updated debdiff, adding credit. Regards Phil -- *** If this is a mailing list, I am subscribed, no need to CC me.*** Playing the game for the games sake. Web: https://kathenas.org GitLab: https://gitlab.com/kathenas Twitter: kathenasorg Instagram: kathenasorg GPG: 1B97 6556 913F 73F3 9C9B 25C4 2961 D9B6 2017 A57Adiff -Nru nautilus-3.22.3/debian/changelog nautilus-3.22.3/debian/changelog --- nautilus-3.22.3/debian/changelog 2017-03-09 02:39:58.0 +0100 +++ nautilus-3.22.3/debian/changelog 2017-09-13 22:22:40.0 +0200 @@ -1,3 +1,12 @@ +nautilus (3.22.3-1.1) stretch; urgency=high + + * Non-maintainer upload. + * Backport desktop file trust patch from upstream. (Closes: #860268). +- Initial patch by Phil Wyett+- Translations additions by Donncha O'Cearbhaill + + -- Phil Wyett Fri, 01 Sep 2017 23:43:51 +0100 + nautilus (3.22.3-1) unstable; urgency=medium * New upstream release. diff -Nru nautilus-3.22.3/debian/control nautilus-3.22.3/debian/control --- nautilus-3.22.3/debian/control 2017-03-09 02:39:58.0 +0100 +++ nautilus-3.22.3/debian/control 2017-09-20 17:58:00.0 +0200 @@ -31,7 +31,8 @@ gobject-introspection (>= 0.9.12-4~), libgirepository1.0-dev (>= 0.10.7-1~), libglib2.0-doc, - libgtk-3-doc + libgtk-3-doc, + gettext Homepage: https://wiki.gnome.org/action/show/Apps/Nautilus Vcs-Browser: https://anonscm.debian.org/viewvc/pkg-gnome/desktop/unstable/nautilus/ Vcs-Svn: svn://anonscm.debian.org/pkg-gnome/desktop/unstable/nautilus/ diff -Nru nautilus-3.22.3/debian/control.in nautilus-3.22.3/debian/control.in --- nautilus-3.22.3/debian/control.in 2016-12-10 02:59:53.0 +0100 +++ nautilus-3.22.3/debian/control.in 2017-09-20 14:52:48.0 +0200 @@ -27,7 +27,8 @@ gobject-introspection (>= 0.9.12-4~), libgirepository1.0-dev (>= 0.10.7-1~), libglib2.0-doc, - libgtk-3-doc + libgtk-3-doc, + gettext Homepage: https://wiki.gnome.org/action/show/Apps/Nautilus Vcs-Browser: https://anonscm.debian.org/viewvc/pkg-gnome/desktop/unstable/nautilus/ Vcs-Svn: svn://anonscm.debian.org/pkg-gnome/desktop/unstable/nautilus/ diff -Nru nautilus-3.22.3/debian/patches/desktop_file_trust.patch nautilus-3.22.3/debian/patches/desktop_file_trust.patch --- nautilus-3.22.3/debian/patches/desktop_file_trust.patch 1970-01-01 01:00:00.0 +0100 +++ nautilus-3.22.3/debian/patches/desktop_file_trust.patch 2017-09-14 15:26:27.0 +0200 @@ -0,0 +1,943 @@ +From 1630f53481f445ada0a455e9979236d31a8d3bb0 Mon Sep 17 00:00:00 2001 +From: Carlos Soriano +Date: Mon, 6 Feb 2017 18:47:54 +0100 +Subject: mime-actions: use file metadata for trusting desktop files + +Currently we only trust desktop files that have the executable bit +set, and don't replace the displayed icon or the displayed name until +it's trusted, which prevents for running random programs by a malicious +desktop file. + +However, the executable permission is preserved if the desktop file +comes from a compressed file. + +To prevent this, add a metadata::trusted metadata to the file once the +user acknowledges the file as trusted. This adds metadata to the file, +which cannot be added unless it has access to the computer. + +Also remove the SHEBANG "trusted" content we were
Bug#860268: .desktop files can hide malware in Nautilus
Phil Wyett: > On Wed, 2017-09-13 at 15:32 +, Donncha O'Cearbhaill wrote: >> Phil Wyett: Hi, Please note that the debdiff I provided was essentially a raw backport for testing and I thought it may have issues. It was never meant as a 'here it is, all done' patch ready for submission as a stable update. I am a little busy at the moment, but if I can help here, I will. I have created a backport patch targeting Nautilus 3.22.3 which contains the cherry-picked translations for the new UI string. It adds a line to the debian/control file to remove the pre-built .mo translation files which were included in the upstream source release. I also needed to add gettext as a build dependency. With this patch the .mo/.gmo files should be rebuilt with the new strings during the Debian package build. I have tested the backported Nautlius package with Tails 3.1 which is based on Debian stable. The English and localised interface is displayed correctly. Ideally this backport would be ready for Tails 3.2 which is schedule to be released early next week. Please let me know if I need to make any further changes. Regards, Donncha diff -Nru nautilus-3.22.3/debian/changelog nautilus-3.22.3/debian/changelog --- nautilus-3.22.3/debian/changelog2017-03-09 02:39:58.0 +0100 +++ nautilus-3.22.3/debian/changelog2017-09-13 22:22:40.0 +0200 @@ -1,3 +1,10 @@ +nautilus (3.22.3-1.1) stretch; urgency=high + + * Non-maintainer upload. + * Backport desktop file trust patch from upstream. (Closes: #860268). + + -- Phil WyettFri, 01 Sep 2017 23:43:51 +0100 + nautilus (3.22.3-1) unstable; urgency=medium * New upstream release. diff -Nru nautilus-3.22.3/debian/control nautilus-3.22.3/debian/control --- nautilus-3.22.3/debian/control 2017-03-09 02:39:58.0 +0100 +++ nautilus-3.22.3/debian/control 2017-09-20 17:58:00.0 +0200 @@ -31,7 +31,8 @@ gobject-introspection (>= 0.9.12-4~), libgirepository1.0-dev (>= 0.10.7-1~), libglib2.0-doc, - libgtk-3-doc + libgtk-3-doc, + gettext Homepage: https://wiki.gnome.org/action/show/Apps/Nautilus Vcs-Browser: https://anonscm.debian.org/viewvc/pkg-gnome/desktop/unstable/nautilus/ Vcs-Svn: svn://anonscm.debian.org/pkg-gnome/desktop/unstable/nautilus/ diff -Nru nautilus-3.22.3/debian/control.in nautilus-3.22.3/debian/control.in --- nautilus-3.22.3/debian/control.in 2016-12-10 02:59:53.0 +0100 +++ nautilus-3.22.3/debian/control.in 2017-09-20 14:52:48.0 +0200 @@ -27,7 +27,8 @@ gobject-introspection (>= 0.9.12-4~), libgirepository1.0-dev (>= 0.10.7-1~), libglib2.0-doc, - libgtk-3-doc + libgtk-3-doc, + gettext Homepage: https://wiki.gnome.org/action/show/Apps/Nautilus Vcs-Browser: https://anonscm.debian.org/viewvc/pkg-gnome/desktop/unstable/nautilus/ Vcs-Svn: svn://anonscm.debian.org/pkg-gnome/desktop/unstable/nautilus/ diff -Nru nautilus-3.22.3/debian/patches/desktop_file_trust.patch nautilus-3.22.3/debian/patches/desktop_file_trust.patch --- nautilus-3.22.3/debian/patches/desktop_file_trust.patch 1970-01-01 01:00:00.0 +0100 +++ nautilus-3.22.3/debian/patches/desktop_file_trust.patch 2017-09-14 15:26:27.0 +0200 @@ -0,0 +1,941 @@ +From 1630f53481f445ada0a455e9979236d31a8d3bb0 Mon Sep 17 00:00:00 2001 +From: Carlos Soriano +Date: Mon, 6 Feb 2017 18:47:54 +0100 +Subject: mime-actions: use file metadata for trusting desktop files + +Currently we only trust desktop files that have the executable bit +set, and don't replace the displayed icon or the displayed name until +it's trusted, which prevents for running random programs by a malicious +desktop file. + +However, the executable permission is preserved if the desktop file +comes from a compressed file. + +To prevent this, add a metadata::trusted metadata to the file once the +user acknowledges the file as trusted. This adds metadata to the file, +which cannot be added unless it has access to the computer. + +Also remove the SHEBANG "trusted" content we were putting inside the +desktop file, since that doesn't add more security since it can come +with the file itself. + +https://bugzilla.gnome.org/show_bug.cgi?id=777991 + +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860268 + . + nautilus (3.22.3-1.1) stretch; urgency=high + . + * Non-maintainer upload. + * Backport desktop file trust patch from upstream. (Closes: #860268) +Author: Phil Wyett +--- + +--- a/src/nautilus-directory-async.c b/src/nautilus-directory-async.c +@@ -30,6 +30,7 @@ + #include "nautilus-global-preferences.h" + #include "nautilus-link.h" + #include "nautilus-profile.h" ++#include "nautilus-metadata.h" + #include + #include + #include +@@ -3580,13 +3581,17 @@ + { +
Bug#860268: .desktop files can hide malware in Nautilus
CVE-2017-14604 has been issued for this vulnerability.
Bug#860268: .desktop files can hide malware in Nautilus
It looks like I attached the wrong debdiff to my previous email. I have attached the correct version now. diff -Nru nautilus-3.22.3/debian/changelog nautilus-3.22.3/debian/changelog --- nautilus-3.22.3/debian/changelog2017-03-09 02:39:58.0 +0100 +++ nautilus-3.22.3/debian/changelog2017-09-13 22:22:40.0 +0200 @@ -1,3 +1,10 @@ +nautilus (3.22.3-1.1) stretch; urgency=high + + * Non-maintainer upload. + * Backport desktop file trust patch from upstream. (Closes: #860268). + + -- Phil WyettFri, 01 Sep 2017 23:43:51 +0100 + nautilus (3.22.3-1) unstable; urgency=medium * New upstream release. diff -Nru nautilus-3.22.3/debian/patches/desktop_file_trust.patch nautilus-3.22.3/debian/patches/desktop_file_trust.patch --- nautilus-3.22.3/debian/patches/desktop_file_trust.patch 1970-01-01 01:00:00.0 +0100 +++ nautilus-3.22.3/debian/patches/desktop_file_trust.patch 2017-09-14 15:26:27.0 +0200 @@ -0,0 +1,941 @@ +From 1630f53481f445ada0a455e9979236d31a8d3bb0 Mon Sep 17 00:00:00 2001 +From: Carlos Soriano +Date: Mon, 6 Feb 2017 18:47:54 +0100 +Subject: mime-actions: use file metadata for trusting desktop files + +Currently we only trust desktop files that have the executable bit +set, and don't replace the displayed icon or the displayed name until +it's trusted, which prevents for running random programs by a malicious +desktop file. + +However, the executable permission is preserved if the desktop file +comes from a compressed file. + +To prevent this, add a metadata::trusted metadata to the file once the +user acknowledges the file as trusted. This adds metadata to the file, +which cannot be added unless it has access to the computer. + +Also remove the SHEBANG "trusted" content we were putting inside the +desktop file, since that doesn't add more security since it can come +with the file itself. + +https://bugzilla.gnome.org/show_bug.cgi?id=777991 + +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860268 + . + nautilus (3.22.3-1.1) stretch; urgency=high + . + * Non-maintainer upload. + * Backport desktop file trust patch from upstream. (Closes: #860268) +Author: Phil Wyett +--- + +--- a/src/nautilus-directory-async.c b/src/nautilus-directory-async.c +@@ -30,6 +30,7 @@ + #include "nautilus-global-preferences.h" + #include "nautilus-link.h" + #include "nautilus-profile.h" ++#include "nautilus-metadata.h" + #include + #include + #include +@@ -3580,13 +3581,17 @@ + { + GFile *location; + gboolean res; ++g_autofree gchar* trusted = NULL; + + if (!is_launcher) + { + return TRUE; + } + +-if (nautilus_file_can_execute (file)) ++trusted = nautilus_file_get_metadata (file, ++ NAUTILUS_METADATA_KEY_DESKTOP_FILE_TRUSTED, ++ NULL); ++if (nautilus_file_can_execute (file) && trusted != NULL) + { + return TRUE; + } +--- a/src/nautilus-file-operations.c b/src/nautilus-file-operations.c +@@ -235,10 +235,10 @@ + #define COPY_FORCE _("Copy _Anyway") + + static void +-mark_desktop_file_trusted (CommonJob*common, +- GCancellable *cancellable, +- GFile*file, +- gboolean interactive); ++mark_desktop_file_executable (CommonJob*common, ++ GCancellable *cancellable, ++ GFile*file, ++ gboolean interactive); + + static gboolean + is_all_button_text (const char *button_text) +@@ -5290,10 +5290,10 @@ + g_file_equal (copy_job->desktop_location, dest_dir) && + is_trusted_desktop_file (src, job->cancellable)) + { +-mark_desktop_file_trusted (job, +- job->cancellable, +- dest, +- FALSE); ++mark_desktop_file_executable (job, ++ job->cancellable, ++ dest, ++ FALSE); + } + + if (job->undo_info != NULL) +@@ -7887,9 +7887,9 @@ + } + + static void +-mark_trusted_task_done (GObject *source_object, +-GAsyncResult *res, +-gpointer user_data) ++mark_desktop_file_executable_task_done (GObject *source_object, ++GAsyncResult *res, ++gpointer user_data) + { + MarkTrustedJob *job = user_data; + +@@ -7907,13 +7907,11 @@ + #define TRUSTED_SHEBANG "#!/usr/bin/env xdg-open\n" + + static void +-mark_desktop_file_trusted (CommonJob*common, +- GCancellable *cancellable, +- GFile
Bug#860268: .desktop files can hide malware in Nautilus
Phil Wyett: > Please note that the debdiff I provided was essentially a raw backport for > testing and I thought it may have issues. It was never meant as a 'here it is, > all done' patch ready for submission as a stable update. > > I am a little busy at the moment, but if I can help here, I will. > > Regards > > Phil > Hi, I have cherry-picked the translations for the string "Trust and _Launch" and created an updated patch and debdiff containing those strings in the respective .po files. Unfortunately it looks like the Debian package does not rebuild the .gmo/.mo files from the .po files during the build. Instead it uses the pre-built .gmo files which have be include in the upstream release. As a result the added translation are not included with the built package. I'm not sure what is the best way to resolve this: 1. Add gettext build dependency and rebuild the .mo files 3. Ask upstream maintainer to make a 3.22 release contain the patch and translation 3. Create release without translation for that one string Phil, I have tested your patch on Tail 3.1 (based on Debian Jessie) and it is functioning as expected. From 1630f53481f445ada0a455e9979236d31a8d3bb0 Mon Sep 17 00:00:00 2001 From: Carlos SorianoDate: Mon, 6 Feb 2017 18:47:54 +0100 Subject: mime-actions: use file metadata for trusting desktop files Currently we only trust desktop files that have the executable bit set, and don't replace the displayed icon or the displayed name until it's trusted, which prevents for running random programs by a malicious desktop file. However, the executable permission is preserved if the desktop file comes from a compressed file. To prevent this, add a metadata::trusted metadata to the file once the user acknowledges the file as trusted. This adds metadata to the file, which cannot be added unless it has access to the computer. Also remove the SHEBANG "trusted" content we were putting inside the desktop file, since that doesn't add more security since it can come with the file itself. https://bugzilla.gnome.org/show_bug.cgi?id=777991 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860268 . nautilus (3.22.3-1.1) stretch; urgency=high . * Non-maintainer upload. * Backport desktop file trust patch from upstream. (Closes: #860268) Author: Phil Wyett --- --- nautilus-3.22.3.orig/src/nautilus-directory-async.c +++ nautilus-3.22.3/src/nautilus-directory-async.c @@ -30,6 +30,7 @@ #include "nautilus-global-preferences.h" #include "nautilus-link.h" #include "nautilus-profile.h" +#include "nautilus-metadata.h" #include #include #include @@ -3580,13 +3581,17 @@ is_link_trusted (NautilusFile *file, { GFile *location; gboolean res; +g_autofree gchar* trusted = NULL; if (!is_launcher) { return TRUE; } -if (nautilus_file_can_execute (file)) +trusted = nautilus_file_get_metadata (file, + NAUTILUS_METADATA_KEY_DESKTOP_FILE_TRUSTED, + NULL); +if (nautilus_file_can_execute (file) && trusted != NULL) { return TRUE; } --- nautilus-3.22.3.orig/src/nautilus-file-operations.c +++ nautilus-3.22.3/src/nautilus-file-operations.c @@ -235,10 +235,10 @@ typedef struct #define COPY_FORCE _("Copy _Anyway") static void -mark_desktop_file_trusted (CommonJob*common, - GCancellable *cancellable, - GFile*file, - gboolean interactive); +mark_desktop_file_executable (CommonJob*common, + GCancellable *cancellable, + GFile*file, + gboolean interactive); static gboolean is_all_button_text (const char *button_text) @@ -5290,10 +5290,10 @@ retry: g_file_equal (copy_job->desktop_location, dest_dir) && is_trusted_desktop_file (src, job->cancellable)) { -mark_desktop_file_trusted (job, - job->cancellable, - dest, - FALSE); +mark_desktop_file_executable (job, + job->cancellable, + dest, + FALSE); } if (job->undo_info != NULL) @@ -7887,9 +7887,9 @@ nautilus_file_operations_empty_trash (Gt } static void -mark_trusted_task_done (GObject *source_object, -GAsyncResult *res, -gpointer user_data) +mark_desktop_file_executable_task_done (GObject *source_object, +GAsyncResult *res, +gpointer user_data) { MarkTrustedJob *job = user_data; @@ -7907,13 +7907,11 @@
Bug#860268: .desktop files can hide malware in Nautilus
On Wed, 2017-09-13 at 15:32 +, Donncha O'Cearbhaill wrote: > Phil Wyett: > > > > > > Hi, > > > > > > Please note that the debdiff I provided was essentially a raw backport for > > > testing and I thought it may have issues. It was never meant as a 'here it > > > is, > > > all done' patch ready for submission as a stable update. > > > > > > I am a little busy at the moment, but if I can help here, I will. > > > > > > Regards > > > > > > Phil > > > > > > > Hi, > > > > Has anyone looked at how Red Hat are approaching this issue? RHEL 7.4 is > > gnome > > 3.22 and using nautilus 3.22.3 I believe. > > > > Regards > > > > Phil > > > > The corresponding Red Hat bug is at > https://bugzilla.redhat.com/show_bug.cgi?id=1442231. Unfortunately there > has not been any progress with fixing this issue in RHEL or Fedora 25 > either. > > Thanks for creating the original patch. I'm not experienced with Debian > packing, but I will try to test your patch later today. Hi, Being that this is tagged against Fedora 27 in Red Hats bugzilla. I have cloned the bug and assigned it to RHEL 7.4. https://bugzilla.redhat.com/show_bug.cgi?id=1491425 Regards Phil -- *** If this is a mailing list, I am subscribed, no need to CC me.*** Playing the game for the games sake. Web: https://kathenas.org Github: https://github.com/kathenas Twitter: kathenasorg Instagram: kathenasorg signature.asc Description: This is a digitally signed message part
Bug#860268: .desktop files can hide malware in Nautilus
Phil Wyett: >> >> Hi, >> >> Please note that the debdiff I provided was essentially a raw backport for >> testing and I thought it may have issues. It was never meant as a 'here it >> is, >> all done' patch ready for submission as a stable update. >> >> I am a little busy at the moment, but if I can help here, I will. >> >> Regards >> >> Phil >> > > Hi, > > Has anyone looked at how Red Hat are approaching this issue? RHEL 7.4 is gnome > 3.22 and using nautilus 3.22.3 I believe. > > Regards > > Phil > The corresponding Red Hat bug is at https://bugzilla.redhat.com/show_bug.cgi?id=1442231. Unfortunately there has not been any progress with fixing this issue in RHEL or Fedora 25 either. Thanks for creating the original patch. I'm not experienced with Debian packing, but I will try to test your patch later today.
Bug#860268: .desktop files can hide malware in Nautilus
On Wed, 2017-09-13 at 15:30 +0100, Phil Wyett wrote: > On Wed, 2017-09-13 at 13:36 +, Donncha O'Cearbhaill wrote: > > Jeremy Bicha: > > > > > > It's not just a UI change but a translatable string change. The new > > > dialog that users will have to use to mark .desktop's as trusted will > > > be untranslated. > > > > > > Therefore, if you want this feature, you will need to use Nautilus >= > > > 3.24 which means you will need to upgrade to buster. > > > > > > > I understand backporting is more difficult when there are user facing UI > > and localisation changes. AFAIK the only new translatable string in the > > patch is "Trust and _Launch". Would it be possible to include the > > translations for that string with this backport patch? > > > > Personally I don't consider this change a *feature*, it is a fix for a > > serious security issue affecting Debian stable users (and Tails). The > > issue is trivially exploitable against the default configuration. > > > > Video demonstrating the issue: > > https://twitter.com/bleidl/status/851969179980845056 > > More information and an example: > > https://github.com/DonnchaC/desktop-file-social-engineering > > Hi, > > Please note that the debdiff I provided was essentially a raw backport for > testing and I thought it may have issues. It was never meant as a 'here it is, > all done' patch ready for submission as a stable update. > > I am a little busy at the moment, but if I can help here, I will. > > Regards > > Phil > Hi, Has anyone looked at how Red Hat are approaching this issue? RHEL 7.4 is gnome 3.22 and using nautilus 3.22.3 I believe. Regards Phil -- *** If this is a mailing list, I am subscribed, no need to CC me.*** Playing the game for the games sake. Web: https://kathenas.org Github: https://github.com/kathenas Twitter: kathenasorg Instagram: kathenasorg signature.asc Description: This is a digitally signed message part
Bug#860268: .desktop files can hide malware in Nautilus
On Wed, 2017-09-13 at 13:36 +, Donncha O'Cearbhaill wrote: > Jeremy Bicha: > > > > It's not just a UI change but a translatable string change. The new > > dialog that users will have to use to mark .desktop's as trusted will > > be untranslated. > > > > Therefore, if you want this feature, you will need to use Nautilus >= > > 3.24 which means you will need to upgrade to buster. > > > > I understand backporting is more difficult when there are user facing UI > and localisation changes. AFAIK the only new translatable string in the > patch is "Trust and _Launch". Would it be possible to include the > translations for that string with this backport patch? > > Personally I don't consider this change a *feature*, it is a fix for a > serious security issue affecting Debian stable users (and Tails). The > issue is trivially exploitable against the default configuration. > > Video demonstrating the issue: > https://twitter.com/bleidl/status/851969179980845056 > More information and an example: > https://github.com/DonnchaC/desktop-file-social-engineering Hi, Please note that the debdiff I provided was essentially a raw backport for testing and I thought it may have issues. It was never meant as a 'here it is, all done' patch ready for submission as a stable update. I am a little busy at the moment, but if I can help here, I will. Regards Phil -- *** If this is a mailing list, I am subscribed, no need to CC me.*** Playing the game for the games sake. Web: https://kathenas.org Github: https://github.com/kathenas Twitter: kathenasorg Instagram: kathenasorg signature.asc Description: This is a digitally signed message part
Bug#860268: .desktop files can hide malware in Nautilus
Jeremy Bicha: > > It's not just a UI change but a translatable string change. The new > dialog that users will have to use to mark .desktop's as trusted will > be untranslated. > > Therefore, if you want this feature, you will need to use Nautilus >= > 3.24 which means you will need to upgrade to buster. > I understand backporting is more difficult when there are user facing UI and localisation changes. AFAIK the only new translatable string in the patch is "Trust and _Launch". Would it be possible to include the translations for that string with this backport patch? Personally I don't consider this change a *feature*, it is a fix for a serious security issue affecting Debian stable users (and Tails). The issue is trivially exploitable against the default configuration. Video demonstrating the issue: https://twitter.com/bleidl/status/851969179980845056 More information and an example: https://github.com/DonnchaC/desktop-file-social-engineering
Bug#860268: .desktop files can hide malware in Nautilus
On Thu, Sep 7, 2017 at 9:34 AM, Donncha O'Cearbhaillwrote: > The upstream developer has now indicated that they will not be > backporting the fix to 3.22.x. They have a policy of not backporting > fixes which involve UI changes in stable branches. > > Will Debian backport this issue themselves? I have requested a CVE which > I hope will help other distros to coordinate their fixes. It's not just a UI change but a translatable string change. The new dialog that users will have to use to mark .desktop's as trusted will be untranslated. Therefore, if you want this feature, you will need to use Nautilus >= 3.24 which means you will need to upgrade to buster. Thanks, Jeremy Bicha
Bug#860268: .desktop files can hide malware in Nautilus
Is there anything that I can do to help get this backport patch deployed? This issue can be exploited in the wild and I think it should be fixed as soon as possible. I am still waiting for a response for my CVE request.
Bug#860268: .desktop files can hide malware in Nautilus
The upstream developer has now indicated that they will not be backporting the fix to 3.22.x. They have a policy of not backporting fixes which involve UI changes in stable branches. Will Debian backport this issue themselves? I have requested a CVE which I hope will help other distros to coordinate their fixes. Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=777991 intrigeri: > Control: tag -1 + security > > Donncha O'Cearbhaill: >> Thank you Phil for providing a backport patch. What is the next step >> needed to get this fix released as a backport? The .desktop security >> issue is widely know and can be exploited in the wild [1]. IMO this >> fixed should be made available as soon as possible. > > IMO the next step is to find out the answer to "Is there any plan > upstream to backport this fix to their 3.22.x branch, and/or to > request a CVE?": if this problem is as severe as it sounds, then it > should be tracked as a security issue and fixed cross-distro, rather > than patched in only the distros that are lucky enough to have users > who care about such things. >
Bug#860268: .desktop files can hide malware in Nautilus
intrigeri: > Control: tag -1 + security > > Donncha O'Cearbhaill: >> Thank you Phil for providing a backport patch. What is the next step >> needed to get this fix released as a backport? The .desktop security >> issue is widely know and can be exploited in the wild [1]. IMO this >> fixed should be made available as soon as possible. > > IMO the next step is to find out the answer to "Is there any plan > upstream to backport this fix to their 3.22.x branch, and/or to > request a CVE?": if this problem is as severe as it sounds, then it > should be tracked as a security issue and fixed cross-distro, rather > than patched in only the distros that are lucky enough to have users > who care about such things. > The upstream developer has indicated that he willing to make a 3.22.x release if a backport patch is provided. I've sent him a link to Phil Wyett's debdiff which I hope is acceptable. I will also file a CVE request for this issue which should help to coordinate the release of this fix for other distros. Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=777991
Bug#860268: .desktop files can hide malware in Nautilus
Control: tag -1 + security Donncha O'Cearbhaill: > Thank you Phil for providing a backport patch. What is the next step > needed to get this fix released as a backport? The .desktop security > issue is widely know and can be exploited in the wild [1]. IMO this > fixed should be made available as soon as possible. IMO the next step is to find out the answer to "Is there any plan upstream to backport this fix to their 3.22.x branch, and/or to request a CVE?": if this problem is as severe as it sounds, then it should be tracked as a security issue and fixed cross-distro, rather than patched in only the distros that are lucky enough to have users who care about such things.
Bug#860268: .desktop files can hide malware in Nautilus
Hi, Thank you Phil for providing a backport patch. What is the next step needed to get this fix released as a backport? The .desktop security issue is widely know and can be exploited in the wild [1]. IMO this fixed should be made available as soon as possible. Regards, Donncha [1] https://github.com/freedomofpress/securedrop/issues/2238 signature.asc Description: OpenPGP digital signature
Bug#860268: .desktop files can hide malware in Nautilus
On Fri, 2017-09-01 at 21:53 +0200, intrigeri wrote: > Hi! > > Micah Lee: > > The upstream nautilus issue [1] has already been resolved, and will be > > released in nautilus 3.24. But since this is an important security > > issue, I think this patch should be backported so that it's fixed in > > older versions of Debian. > > Thanks for raising this issue in Debian! > > Is there any plan upstream to backport this fix to their 3.22.x > branch, and/or to request a CVE? > > Did you personally check whether it's straightforward to backport the > fix to 3.22? > > Cheers, Hi, Seeing this bug. I have backported from the upstream patch (hash issue with upstream diff) for testing purposes and all looks good. If anyone wishes to test, a debdiff is attached. The debdiff is prepared with a 'stretch-pu' in mind. If any edits are required, please do not hesitate to let me know. Regards Phil -- *** If this is a mailing list, I am subscribed, no need to CC me.*** Playing the game for the games sake. Web: https://kathenas.org Twitter: kathenasorg Instagram: kathenasorgdiff -Nru nautilus-3.22.3/debian/changelog nautilus-3.22.3/debian/changelog --- nautilus-3.22.3/debian/changelog 2017-03-09 01:39:58.0 + +++ nautilus-3.22.3/debian/changelog 2017-09-01 23:43:51.0 +0100 @@ -1,3 +1,10 @@ +nautilus (3.22.3-1.1) stretch; urgency=high + + * Non-maintainer upload. + * Backport desktop file trust patch from upstream. (Closes: #860268). + + -- Phil WyettFri, 01 Sep 2017 23:43:51 +0100 + nautilus (3.22.3-1) unstable; urgency=medium * New upstream release. diff -Nru nautilus-3.22.3/debian/patches/desktop_file_trust.patch nautilus-3.22.3/debian/patches/desktop_file_trust.patch --- nautilus-3.22.3/debian/patches/desktop_file_trust.patch 1970-01-01 01:00:00.0 +0100 +++ nautilus-3.22.3/debian/patches/desktop_file_trust.patch 2017-09-01 23:43:51.0 +0100 @@ -0,0 +1,408 @@ +From 1630f53481f445ada0a455e9979236d31a8d3bb0 Mon Sep 17 00:00:00 2001 +From: Carlos Soriano +Date: Mon, 6 Feb 2017 18:47:54 +0100 +Subject: mime-actions: use file metadata for trusting desktop files + +Currently we only trust desktop files that have the executable bit +set, and don't replace the displayed icon or the displayed name until +it's trusted, which prevents for running random programs by a malicious +desktop file. + +However, the executable permission is preserved if the desktop file +comes from a compressed file. + +To prevent this, add a metadata::trusted metadata to the file once the +user acknowledges the file as trusted. This adds metadata to the file, +which cannot be added unless it has access to the computer. + +Also remove the SHEBANG "trusted" content we were putting inside the +desktop file, since that doesn't add more security since it can come +with the file itself. + +https://bugzilla.gnome.org/show_bug.cgi?id=777991 + +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860268 + . + nautilus (3.22.3-1.1) stretch; urgency=high + . + * Non-maintainer upload. + * Backport desktop file trust patch from upstream. (Closes: #860268) +Author: Phil Wyett +--- + +--- nautilus-3.22.3.orig/src/nautilus-directory-async.c nautilus-3.22.3/src/nautilus-directory-async.c +@@ -30,6 +30,7 @@ + #include "nautilus-global-preferences.h" + #include "nautilus-link.h" + #include "nautilus-profile.h" ++#include "nautilus-metadata.h" + #include + #include + #include +@@ -3580,13 +3581,17 @@ is_link_trusted (NautilusFile *file, + { + GFile *location; + gboolean res; ++g_autofree gchar* trusted = NULL; + + if (!is_launcher) + { + return TRUE; + } + +-if (nautilus_file_can_execute (file)) ++trusted = nautilus_file_get_metadata (file, ++ NAUTILUS_METADATA_KEY_DESKTOP_FILE_TRUSTED, ++ NULL); ++if (nautilus_file_can_execute (file) && trusted != NULL) + { + return TRUE; + } +--- nautilus-3.22.3.orig/src/nautilus-file-operations.c nautilus-3.22.3/src/nautilus-file-operations.c +@@ -235,10 +235,10 @@ typedef struct + #define COPY_FORCE _("Copy _Anyway") + + static void +-mark_desktop_file_trusted (CommonJob*common, +- GCancellable *cancellable, +- GFile*file, +- gboolean interactive); ++mark_desktop_file_executable (CommonJob*common, ++ GCancellable *cancellable, ++ GFile*file, ++ gboolean interactive); + + static gboolean + is_all_button_text (const char *button_text) +@@ -5290,10 +5290,10 @@ retry: + g_file_equal (copy_job->desktop_location, dest_dir) && + is_trusted_desktop_file (src, job->cancellable)) + { +-mark_desktop_file_trusted (job, +-
Bug#860268: .desktop files can hide malware in Nautilus
Hi! Micah Lee: > The upstream nautilus issue [1] has already been resolved, and will be > released in nautilus 3.24. But since this is an important security > issue, I think this patch should be backported so that it's fixed in > older versions of Debian. Thanks for raising this issue in Debian! Is there any plan upstream to backport this fix to their 3.22.x branch, and/or to request a CVE? Did you personally check whether it's straightforward to backport the fix to 3.22? Cheers, -- intrigeri
Bug#860268: .desktop files can hide malware in Nautilus
Package: nautilus Version: 3.22.3-1 There is a bug in Nautilus that makes it possible to disguise a malicious script as an innocent document, like a PDF or ODT, that gets executed when the user opens it. The upstream nautilus issue [1] has already been resolved, and will be released in nautilus 3.24. But since this is an important security issue, I think this patch should be backported so that it's fixed in older versions of Debian. See this blog post [2] for more about how this bug allows attackers to compromise the security-focused Debian-based distro Subgraph. [1] https://bugzilla.gnome.org/show_bug.cgi?id=777991 [2] https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/