Common vulnerability in various desktop environments' implementations of the freedesktop.org desktop-entry-spec

The file trojan.desktop will, when saved to disk and viewed in a file manager, appear as a harmless image file. When you open it, it will (assuming that you have Python and PyGTK installed) execute arbitrary code that will show you a message telling you that you have been owned.

In order to test what your browser would do if you encountered this file in the wild, try viewing trojan-axd.desktop or trojan-aos.desktop. These files contain the same data, but are served with different Content-Type headers: application/x-desktop and application/octet-stream, respectively.

Has no one noticed this flaw before?

Sadly yes, but it was not considered a problem.

• Sam Watkins, .desktop files, serious security hole, virus-friendliness (message to xdg@freedesktop.org, 2006-04-03)

• LWN.net, .desktop files and security

• Ubuntu bug report

• GNOME bug report

• "foobar". How to write a Linux virus in 5 easy steps, 2009-02-11 (commentary on LWN.net)

What is vulnerable?

How does your desktop environment fare?

If you have corrections or new data, please send them to <sam AT robots DOT org DOT uk>.