Bug 779547 – Deceptive Display of Dangerous File

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 779547 - Deceptive Display of Dangerous File


Summary:	Deceptive Display of Dangerous File


Status:	RESOLVED DUPLICATE of bug 777991

Product:	nautilus
Classification:	Core
Component:	File and Folder Operations
Version:	3.14.x
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Nautilus Maintainers
QA Contact:	Nautilus Maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2017-03-03 17:34 UTC by Ankit Pati
Modified:	2017-03-04 11:50 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Executable “.desktop” file in TAR archive (2.00 KB, application/x-tar) 2017-03-03 17:34 UTC, Ankit Pati	Details

Description Ankit Pati 2017-03-03 17:34:00 UTC

Created attachment 347159 [details]
Executable “.desktop” file in TAR archive

Download the attachment, extract, and try to view the “LibreOffice Document.”

This is clearly a very deceptive display of a dangerous filetype by Nautilus, that will readily enable social engineering attacks against even the most experienced Linux users.

Comment 1 Carlos Soriano 2017-03-03 18:02:08 UTC

Not sure I understand, what's the issue? What do you mean by deceptive display?

Comment 2 Ernestas Kulik 2017-03-03 18:03:14 UTC

(In reply to Carlos Soriano from comment #1)
> Not sure I understand, what's the issue? What do you mean by deceptive
> display?

Bug 777991, maybe?

Comment 3 Carlos Soriano 2017-03-03 18:24:08 UTC

yeah maybe, just want to make sure what reporter means with "deceptive display", doesn't look like we do anything different for display, which seems is the main concern of the reporter.

Comment 4 Ankit Pati 2017-03-04 11:33:50 UTC

Have you tried extracting and double-clicking the extracted file on a recent GNOME desktop?

It displays as a document, because the .desktop file instructs Nautilus to show that icon, but it really is no different from a script that can execute any arbitrary command.

Even with the “View executable text files when they are opened” setting, the .desktop file still executes pretty much like a script when the execute bit is set. This behaviour is also equally deceptive, and highly conducive to social engineering.

Comment 5 Ankit Pati 2017-03-04 11:39:04 UTC

Sorry for the trouble. Looks like the patch for Bug 777991 has already fixed this issue.

Comment 6 Carlos Soriano 2017-03-04 11:50:15 UTC


*** This bug has been marked as a duplicate of bug 777991 ***