Common vulnerability in various desktop environments' implementations of the freedesktop.org desktop-entry-spec

The file trojan.desktop will, when saved to disk and viewed in a file manager, appear as a harmless image file. When you open it, it will (assuming that you have Python and PyGTK installed) execute arbitrary code that will show you a message telling you that you have been owned.

Has no one noticed this flaw before?

Sadly yes, but it was not considered a problem.

What is vulnerable?

How does your desktop environment fare?

implementation

fake filename

fake icon

exectes code

GNOME 2.20 (nautilus 2.20.0)

yes

yes

yes

GNOME 2.22 (nautilus 2.22.2)

yes

yes

yes

GNOME 2.24 (nautilus 2.24.2)

yes

yes

yes

KDE (konqueror 3.5.8)

no

yes

yes

XFCE 4.4.1 (thunar 0.8.0)

no

no

no

If you have corrections or new data, please send them to <sam AT robots DOT org DOT uk>.


robots.org.uk: DesktopEntryVulnerability (last edited 2009-02-25 23:36:52 by sam)

© Sam Morris <sam@robots.org.uk>.
Content may be distributed and modified providing this notice is preserved.