Backport security fix for Nautilus .desktop file RCE (#14584) · Issues · tails / tails

Backport security fix for Nautilus .desktop file RCE

Originally created by @DonnchaC on #14584 (Redmine)

There is a major security issue with how Nautilus <= 3.22 handlers .desktop launcher shortcuts. Trusted .desktop launchers are able to run arbitrary code when launched. Any .desktop with the executable bit set are treated as trusted by Nautilus.

This opens an attack where an executable .desktop file can be delivered by an attacker in an archive file. After extraction the .desktop file is displayed with an attacker controlled filename and icon. This vulnerability affects Tails users and was demonstrated in a proof-of-concept with SecureDrop users https://github.com/freedomofpress/securedrop/issues/2238

The security issue was fixed in Nautilus 3.24 but it was not backported to previous versions. Micah Lee has opened a backport request at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860268.

I think it is important that this fix be applied for Tails users as soon as possible. I’m happy to help in any way that I can.

Nautilus bug report: https://bugzilla.gnome.org/show_bug.cgi?id=777991
Debian ticket request backport: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860268

Related issues

Related to #14793 (closed)

_Originally created by @DonnchaC on [#14584 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/14584)_

There is a major security issue with how Nautilus \<= 3.22 handlers
.desktop launcher shortcuts. Trusted .desktop launchers are able to run
arbitrary code when launched. Any .desktop with the executable bit set
are treated as trusted by Nautilus.

This opens an attack where an executable .desktop file can be delivered
by an attacker in an archive file. After extraction the .desktop file is
displayed with an attacker controlled filename and icon. This
vulnerability affects Tails users and was demonstrated in a
proof-of-concept with SecureDrop users
<https://github.com/freedomofpress/securedrop/issues/2238>

The security issue was fixed in Nautilus 3.24 but it was not backported
to previous versions. Micah Lee has opened a backport request at
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860268>.

I think it is important that this fix be applied for Tails users as soon
as possible. I’m happy to help in any way that I can.

Nautilus bug report:
<https://bugzilla.gnome.org/show_bug.cgi?id=777991>  
Debian ticket request backport:
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860268>

### Related issues

- **Related to** tails/tails#14793

Edited May 15, 2020 by DonnchaC

Discussion
Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.