nautilus: CVE-2017-14604: .desktop files can hide malware in Nautilus

Debian Bug report logs - #860268
nautilus: CVE-2017-14604: .desktop files can hide malware in Nautilus

Toggle useless messages

---

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: nautilus
Version: 3.22.3-1

There is a bug in Nautilus that makes it possible to disguise a
malicious script as an innocent document, like a PDF or ODT, that gets
executed when the user opens it.

The upstream nautilus issue [1] has already been resolved, and will be
released in nautilus 3.24. But since this is an important security
issue, I think this patch should be backported so that it's fixed in
older versions of Debian.

See this blog post [2] for more about how this bug allows attackers to
compromise the security-focused Debian-based distro Subgraph.

[1] https://bugzilla.gnome.org/show_bug.cgi?id=777991
[2]
https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/

---

Message #14 received at 860268@bugs.debian.org (full text, mbox, reply):

Hi!

Micah Lee:
> The upstream nautilus issue [1] has already been resolved, and will be
> released in nautilus 3.24. But since this is an important security
> issue, I think this patch should be backported so that it's fixed in
> older versions of Debian.

Thanks for raising this issue in Debian!

Is there any plan upstream to backport this fix to their 3.22.x
branch, and/or to request a CVE?

Did you personally check whether it's straightforward to backport the
fix to 3.22?

Cheers,
-- 
intrigeri

---

Message #19 received at 860268@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Fri, 2017-09-01 at 21:53 +0200, intrigeri wrote:
> Hi!
> 
> Micah Lee:
> > The upstream nautilus issue [1] has already been resolved, and will be
> > released in nautilus 3.24. But since this is an important security
> > issue, I think this patch should be backported so that it's fixed in
> > older versions of Debian.
> 
> Thanks for raising this issue in Debian!
> 
> Is there any plan upstream to backport this fix to their 3.22.x
> branch, and/or to request a CVE?
> 
> Did you personally check whether it's straightforward to backport the
> fix to 3.22?
> 
> Cheers,

Hi,

Seeing this bug. I have backported from the upstream patch (hash issue with
upstream diff) for testing purposes and all looks good. If anyone wishes to
test, a debdiff is attached.

The debdiff is prepared with a 'stretch-pu' in mind.

If any edits are required, please do not hesitate to let me know.

Regards

Phil

-- 
*** If this is a mailing list, I am subscribed, no need to CC me.***

Playing the game for the games sake.

Web: https://kathenas.org

Twitter: kathenasorg

Instagram: kathenasorg

[nautilus_3.22.3-1_to_nautilus_3.22.3-1.1.debdiff (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

---

Message #26 received at 860268@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi,

Thank you Phil for providing a backport patch. What is the next step
needed to get this fix released as a backport? The .desktop security
issue is widely know and can be exploited in the wild [1]. IMO this
fixed should be made available as soon as possible.

Regards,
Donncha

[1] https://github.com/freedomofpress/securedrop/issues/2238

[signature.asc (application/pgp-signature, attachment)]

---

Message #31 received at 860268@bugs.debian.org (full text, mbox, reply):

Control: tag -1 + security

Donncha O'Cearbhaill:
> Thank you Phil for providing a backport patch. What is the next step
> needed to get this fix released as a backport? The .desktop security
> issue is widely know and can be exploited in the wild [1]. IMO this
> fixed should be made available as soon as possible.

IMO the next step is to find out the answer to "Is there any plan
upstream to backport this fix to their 3.22.x branch, and/or to
request a CVE?": if this problem is as severe as it sounds, then it
should be tracked as a security issue and fixed cross-distro, rather
than patched in only the distros that are lucky enough to have users
who care about such things.

---

Message #38 received at 860268@bugs.debian.org (full text, mbox, reply):

intrigeri:
> Control: tag -1 + security
> 
> Donncha O'Cearbhaill:
>> Thank you Phil for providing a backport patch. What is the next step
>> needed to get this fix released as a backport? The .desktop security
>> issue is widely know and can be exploited in the wild [1]. IMO this
>> fixed should be made available as soon as possible.
> 
> IMO the next step is to find out the answer to "Is there any plan
> upstream to backport this fix to their 3.22.x branch, and/or to
> request a CVE?": if this problem is as severe as it sounds, then it
> should be tracked as a security issue and fixed cross-distro, rather
> than patched in only the distros that are lucky enough to have users
> who care about such things.
> 

The upstream developer has indicated that he willing to make a 3.22.x
release if a backport patch is provided. I've sent him a link to Phil
Wyett's debdiff which I hope is acceptable.

I will also file a CVE request for this issue which should help to
coordinate the release of this fix for other distros.

Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=777991

---

Message #43 received at 860268@bugs.debian.org (full text, mbox, reply):

The upstream developer has now indicated that they will not be
backporting the fix to 3.22.x. They have a policy of not backporting
fixes which involve UI changes in stable branches.

Will Debian backport this issue themselves? I have requested a CVE which
I hope will help other distros to coordinate their fixes.

Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=777991

intrigeri:
> Control: tag -1 + security
> 
> Donncha O'Cearbhaill:
>> Thank you Phil for providing a backport patch. What is the next step
>> needed to get this fix released as a backport? The .desktop security
>> issue is widely know and can be exploited in the wild [1]. IMO this
>> fixed should be made available as soon as possible.
> 
> IMO the next step is to find out the answer to "Is there any plan
> upstream to backport this fix to their 3.22.x branch, and/or to
> request a CVE?": if this problem is as severe as it sounds, then it
> should be tracked as a security issue and fixed cross-distro, rather
> than patched in only the distros that are lucky enough to have users
> who care about such things.
> 

---

Message #50 received at 860268@bugs.debian.org (full text, mbox, reply):

Is there anything that I can do to help get this backport patch
deployed? This issue can be exploited in the wild and I think it should
be fixed as soon as possible.

I am still waiting for a response for my CVE request.

---

Message #55 received at 860268@bugs.debian.org (full text, mbox, reply):

On Thu, Sep 7, 2017 at 9:34 AM, Donncha O'Cearbhaill <donncha@donncha.is> wrote:
> The upstream developer has now indicated that they will not be
> backporting the fix to 3.22.x. They have a policy of not backporting
> fixes which involve UI changes in stable branches.
>
> Will Debian backport this issue themselves? I have requested a CVE which
> I hope will help other distros to coordinate their fixes.

It's not just a UI change but a translatable string change. The new
dialog that users will have to use to mark .desktop's as trusted will
be untranslated.

Therefore, if you want this feature, you will need to use Nautilus >=
3.24 which means you will need to upgrade to buster.

Thanks,
Jeremy Bicha

---

Message #60 received at 860268@bugs.debian.org (full text, mbox, reply):

Jeremy Bicha:
> 
> It's not just a UI change but a translatable string change. The new
> dialog that users will have to use to mark .desktop's as trusted will
> be untranslated.
> 
> Therefore, if you want this feature, you will need to use Nautilus >=
> 3.24 which means you will need to upgrade to buster.
> 

I understand backporting is more difficult when there are user facing UI
and localisation changes. AFAIK the only new translatable string in the
patch is "Trust and _Launch". Would it be possible to include the
translations for that string with this backport patch?

Personally I don't consider this change a *feature*, it is a fix for a
serious security issue affecting Debian stable users (and Tails). The
issue is trivially exploitable against the default configuration.

Video demonstrating the issue:
https://twitter.com/bleidl/status/851969179980845056
More information and an example:
https://github.com/DonnchaC/desktop-file-social-engineering

---

Message #65 received at 860268@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Wed, 2017-09-13 at 13:36 +0000, Donncha O'Cearbhaill wrote:
> Jeremy Bicha:
> > 
> > It's not just a UI change but a translatable string change. The new
> > dialog that users will have to use to mark .desktop's as trusted will
> > be untranslated.
> > 
> > Therefore, if you want this feature, you will need to use Nautilus >=
> > 3.24 which means you will need to upgrade to buster.
> > 
> 
> I understand backporting is more difficult when there are user facing UI
> and localisation changes. AFAIK the only new translatable string in the
> patch is "Trust and _Launch". Would it be possible to include the
> translations for that string with this backport patch?
> 
> Personally I don't consider this change a *feature*, it is a fix for a
> serious security issue affecting Debian stable users (and Tails). The
> issue is trivially exploitable against the default configuration.
> 
> Video demonstrating the issue:
> https://twitter.com/bleidl/status/851969179980845056
> More information and an example:
> https://github.com/DonnchaC/desktop-file-social-engineering

Hi,

Please note that the debdiff I provided was essentially a raw backport for
testing and I thought it may have issues. It was never meant as a 'here it is,
all done' patch ready for submission as a stable update.

I am a little busy at the moment, but if I can help here, I will.

Regards

Phil

-- 
*** If this is a mailing list, I am subscribed, no need to CC me.***

Playing the game for the games sake.

Web: https://kathenas.org

Github: https://github.com/kathenas

Twitter: kathenasorg

Instagram: kathenasorg

[signature.asc (application/pgp-signature, inline)]

---

Message #70 received at 860268@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Wed, 2017-09-13 at 15:30 +0100, Phil Wyett wrote:
> On Wed, 2017-09-13 at 13:36 +0000, Donncha O'Cearbhaill wrote:
> > Jeremy Bicha:
> > > 
> > > It's not just a UI change but a translatable string change. The new
> > > dialog that users will have to use to mark .desktop's as trusted will
> > > be untranslated.
> > > 
> > > Therefore, if you want this feature, you will need to use Nautilus >=
> > > 3.24 which means you will need to upgrade to buster.
> > > 
> > 
> > I understand backporting is more difficult when there are user facing UI
> > and localisation changes. AFAIK the only new translatable string in the
> > patch is "Trust and _Launch". Would it be possible to include the
> > translations for that string with this backport patch?
> > 
> > Personally I don't consider this change a *feature*, it is a fix for a
> > serious security issue affecting Debian stable users (and Tails). The
> > issue is trivially exploitable against the default configuration.
> > 
> > Video demonstrating the issue:
> > https://twitter.com/bleidl/status/851969179980845056
> > More information and an example:
> > https://github.com/DonnchaC/desktop-file-social-engineering
> 
> Hi,
> 
> Please note that the debdiff I provided was essentially a raw backport for
> testing and I thought it may have issues. It was never meant as a 'here it is,
> all done' patch ready for submission as a stable update.
> 
> I am a little busy at the moment, but if I can help here, I will.
> 
> Regards
> 
> Phil
> 

Hi,

Has anyone looked at how Red Hat are approaching this issue? RHEL 7.4 is gnome
3.22 and using nautilus 3.22.3 I believe.

Regards

Phil

-- 
*** If this is a mailing list, I am subscribed, no need to CC me.***

Playing the game for the games sake.

Web: https://kathenas.org

Github: https://github.com/kathenas

Twitter: kathenasorg

Instagram: kathenasorg

[signature.asc (application/pgp-signature, inline)]

---

Message #75 received at 860268@bugs.debian.org (full text, mbox, reply):

Phil Wyett:
>>
>> Hi,
>>
>> Please note that the debdiff I provided was essentially a raw backport for
>> testing and I thought it may have issues. It was never meant as a 'here it is,
>> all done' patch ready for submission as a stable update.
>>
>> I am a little busy at the moment, but if I can help here, I will.
>>
>> Regards
>>
>> Phil
>>
> 
> Hi,
> 
> Has anyone looked at how Red Hat are approaching this issue? RHEL 7.4 is gnome
> 3.22 and using nautilus 3.22.3 I believe.
> 
> Regards
> 
> Phil
> 

The corresponding Red Hat bug is at
https://bugzilla.redhat.com/show_bug.cgi?id=1442231. Unfortunately there
has not been any progress with fixing this issue in RHEL or Fedora 25
either.

Thanks for creating the original patch. I'm not experienced with Debian
packing, but I will try to test your patch later today.

---

Message #80 received at 860268@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Wed, 2017-09-13 at 15:32 +0000, Donncha O'Cearbhaill wrote:
> Phil Wyett:
> > > 
> > > Hi,
> > > 
> > > Please note that the debdiff I provided was essentially a raw backport for
> > > testing and I thought it may have issues. It was never meant as a 'here it
> > > is,
> > > all done' patch ready for submission as a stable update.
> > > 
> > > I am a little busy at the moment, but if I can help here, I will.
> > > 
> > > Regards
> > > 
> > > Phil
> > > 
> > 
> > Hi,
> > 
> > Has anyone looked at how Red Hat are approaching this issue? RHEL 7.4 is
> > gnome
> > 3.22 and using nautilus 3.22.3 I believe.
> > 
> > Regards
> > 
> > Phil
> > 
> 
> The corresponding Red Hat bug is at
> https://bugzilla.redhat.com/show_bug.cgi?id=1442231. Unfortunately there
> has not been any progress with fixing this issue in RHEL or Fedora 25
> either.
> 
> Thanks for creating the original patch. I'm not experienced with Debian
> packing, but I will try to test your patch later today.

Hi,

Being that this is tagged against Fedora 27 in Red Hats bugzilla. I have cloned
the bug and assigned it to RHEL 7.4.

https://bugzilla.redhat.com/show_bug.cgi?id=1491425

Regards

Phil

-- 
*** If this is a mailing list, I am subscribed, no need to CC me.***

Playing the game for the games sake.

Web: https://kathenas.org

Github: https://github.com/kathenas

Twitter: kathenasorg

Instagram: kathenasorg

[signature.asc (application/pgp-signature, inline)]

---

Message #85 received at 860268@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Phil Wyett:
> Please note that the debdiff I provided was essentially a raw backport for
> testing and I thought it may have issues. It was never meant as a 'here it is,
> all done' patch ready for submission as a stable update.
> 
> I am a little busy at the moment, but if I can help here, I will.
> 
> Regards
> 
> Phil
> 

Hi,

I have cherry-picked the translations for the string "Trust and _Launch"
and created an updated patch and debdiff containing those strings in the
respective .po files.

Unfortunately it looks like the Debian package does not rebuild the
.gmo/.mo files from the .po files during the build. Instead it uses the
pre-built .gmo files which have be include in the upstream release. As a
result the added translation are not included with the built package.

I'm not sure what is the best way to resolve this:

1. Add gettext build dependency and rebuild the .mo files
3. Ask upstream maintainer to make a 3.22 release contain the patch and
translation
3. Create release without translation for that one string

Phil, I have tested your patch on Tail 3.1 (based on Debian Jessie) and
it is functioning as expected.

[nautilus.debdiff (text/plain, attachment)]

---

Message #90 received at 860268@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

It looks like I attached the wrong debdiff to my previous email. I have
attached the correct version now.

[nautilus_3.22.3-1_to_nautilus_3.22.3-1.1.debdiff (text/plain, attachment)]

---

Message #95 received at 860268@bugs.debian.org (full text, mbox, reply):

CVE-2017-14604 has been issued for this vulnerability.

---

Message #102 received at 860268@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Phil Wyett:
> On Wed, 2017-09-13 at 15:32 +0000, Donncha O'Cearbhaill wrote:
>> Phil Wyett:
>>>>
>>>> Hi,
>>>>
>>>> Please note that the debdiff I provided was essentially a raw backport for
>>>> testing and I thought it may have issues. It was never meant as a 'here it
>>>> is,
>>>> all done' patch ready for submission as a stable update.
>>>>
>>>> I am a little busy at the moment, but if I can help here, I will.
>>>>

I have created a backport patch targeting Nautilus 3.22.3 which contains
the cherry-picked translations for the new UI string.

It adds a line to the debian/control file to remove the pre-built .mo
translation files which were included in the upstream source release. I
also needed to add gettext as a build dependency. With this patch the
.mo/.gmo files should be rebuilt with the new strings during the Debian
package build.

I have tested the backported Nautlius package with Tails 3.1 which is
based on Debian stable. The English and localised interface is displayed
correctly.

Ideally this backport would be ready for Tails 3.2 which is schedule to
be released early next week.

Please let me know if I need to make any further changes.

Regards,
Donncha

[nautilus_3.22.3-1_to_nautilus_3.22.3-1.1.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, attachment)]

---

Message #107 received at 860268@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Wed, 2017-09-20 at 17:30 +0000, Donncha O'Cearbhaill wrote:
> Phil Wyett:
> > On Wed, 2017-09-13 at 15:32 +0000, Donncha O'Cearbhaill wrote:
> > > Phil Wyett:
> > > > > 
> > > > > Hi,
> > > > > 
> > > > > Please note that the debdiff I provided was essentially a raw backport
> > > > > for
> > > > > testing and I thought it may have issues. It was never meant as a
> > > > > 'here it
> > > > > is,
> > > > > all done' patch ready for submission as a stable update.
> > > > > 
> > > > > I am a little busy at the moment, but if I can help here, I will.
> > > > > 
> 
> I have created a backport patch targeting Nautilus 3.22.3 which contains
> the cherry-picked translations for the new UI string.
> 
> It adds a line to the debian/control file to remove the pre-built .mo
> translation files which were included in the upstream source release. I
> also needed to add gettext as a build dependency. With this patch the
> .mo/.gmo files should be rebuilt with the new strings during the Debian
> package build.
> 
> I have tested the backported Nautlius package with Tails 3.1 which is
> based on Debian stable. The English and localised interface is displayed
> correctly.
> 
> Ideally this backport would be ready for Tails 3.2 which is schedule to
> be released early next week.
> 
> Please let me know if I need to make any further changes.
> 
> Regards,
> Donncha

Hi,

Sorry, been busy, so not had chance to get back to this.

Tested on English, German and French and all Ok.

Attached is updated debdiff, adding credit.

Regards

Phil

-- 
*** If this is a mailing list, I am subscribed, no need to CC me.***

Playing the game for the games sake.

Web: https://kathenas.org

GitLab: https://gitlab.com/kathenas

Twitter: kathenasorg

Instagram: kathenasorg

GPG: 1B97 6556 913F 73F3 9C9B 25C4 2961 D9B6 2017 A57A

[nautilus_3.22.3-1_to_nautilus_3.22.3-1.1.debdiff (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

---

Message #112 received at 860268@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi,

Now that the CVE (CVE-2017-14604) has been issued and this would (well, if it
ever does) pass into debian as a security update. I have updated the debdiff
accordingly. See attached.

Link to CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14604

If any tweaks need to be made. Please let me know via this bug report.

If anyone has issues running with this patch applied. Please be sure to add
information to this bug report.

Regards

Phil

-- 
*** If this is a mailing list, I am subscribed, no need to CC me.***

Playing the game for the games sake.

Web: https://kathenas.org

GitLab: https://gitlab.com/kathenas

Twitter: kathenasorg

Instagram: kathenasorg

GPG: 1B97 6556 913F 73F3 9C9B 25C4 2961 D9B6 2017 A57A

[nautilus_3.22.3-1_to_nautilus_3.22.3-1+deb9u1.debdiff (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

---

Message #119 received at 860268@bugs.debian.org (full text, mbox, reply):

I asked on IRC about this so feel free to send the email, Phil or Donncha:

jbicha | carnil: are you going to sponsor #860268 as a security update?
jmm_ | jbicha: yeah, we can fix that via security.debian.org, please
send a mail to team@security.debian.org, only a few of us are on IRC


Thanks,
Jeremy Bicha

---

Message #124 received at 860268@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Fri, 2017-09-22 at 17:19 -0400, Jeremy Bicha wrote:
> I asked on IRC about this so feel free to send the email, Phil or Donncha:
> 
> jbicha | carnil: are you going to sponsor #860268 as a security update?
> jmm_ | jbicha: yeah, we can fix that via security.debian.org, please
> send a mail to team@security.debian.org, only a few of us are on IRC
> 
> 
> Thanks,
> Jeremy Bicha

Hi Security Team,

Please accept the attached 'nautilus' debdiff for stretch-security.

Info:

The debdiff is a backport of the fix from upstream[1] and includes translations
for the UI changes.

[1]: https://github.com/GNOME/nautilus/commit/1630f53481f445ada0a455e9979236d31a
8d3bb0

Related debian bug:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860268

Related upstream bug:

https://bugzilla.gnome.org/show_bug.cgi?id=777991

Related CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14604

Debian security tracker:

https://security-tracker.debian.org/tracker/CVE-2017-14604

Regards

Phil

-- 
*** If this is a mailing list, I am subscribed, no need to CC me.***

Playing the game for the games sake.

Web: https://kathenas.org

GitLab: https://gitlab.com/kathenas

Twitter: kathenasorg

Instagram: kathenasorg

GPG: 1B97 6556 913F 73F3 9C9B 25C4 2961 D9B6 2017 A57A

[nautilus_3.22.3-1_to_nautilus_3.22.3-1+deb9u1.debdiff (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

---

Message #129 received at 860268@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Sat, 2017-09-23 at 01:36 +0100, Phil Wyett wrote:
> On Fri, 2017-09-22 at 17:19 -0400, Jeremy Bicha wrote:
> > I asked on IRC about this so feel free to send the email, Phil or Donncha:
> > 
> > jbicha | carnil: are you going to sponsor #860268 as a security update?
> > jmm_ | jbicha: yeah, we can fix that via security.debian.org, please
> > send a mail to team@security.debian.org, only a few of us are on IRC
> > 
> > 
> > Thanks,
> > Jeremy Bicha
> 
> Hi Security Team,
> 
> Please accept the attached 'nautilus' debdiff for stretch-security.
> 
> Info:
> 
> The debdiff is a backport of the fix from upstream[1] and includes
> translations
> for the UI changes.
> 
> [1]: https://github.com/GNOME/nautilus/commit/1630f53481f445ada0a455e9979236d3
> 1a
> 8d3bb0
> 
> Related debian bug:
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860268
> 
> Related upstream bug:
> 
> https://bugzilla.gnome.org/show_bug.cgi?id=777991
> 
> Related CVE:
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14604
> 
> Debian security tracker:
> 
> https://security-tracker.debian.org/tracker/CVE-2017-14604
> 
> Regards
> 
> Phil
> 

-- 
*** If this is a mailing list, I am subscribed, no need to CC me.***

Playing the game for the games sake.

Web: https://kathenas.org

GitLab: https://gitlab.com/kathenas

Twitter: kathenasorg

Instagram: kathenasorg

GPG: 1B97 6556 913F 73F3 9C9B 25C4 2961 D9B6 2017 A57A

[signature.asc (application/pgp-signature, inline)]

---

Message #134 received at 860268@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Sat, 2017-09-23 at 01:37 +0100, Phil Wyett wrote:
> On Sat, 2017-09-23 at 01:36 +0100, Phil Wyett wrote:
> > On Fri, 2017-09-22 at 17:19 -0400, Jeremy Bicha wrote:
> > > I asked on IRC about this so feel free to send the email, Phil or Donncha:
> > > 
> > > jbicha | carnil: are you going to sponsor #860268 as a security update?
> > > jmm_ | jbicha: yeah, we can fix that via security.debian.org, please
> > > send a mail to team@security.debian.org, only a few of us are on IRC
> > > 
> > > 
> > > Thanks,
> > > Jeremy Bicha
> > 
> > Hi Security Team,
> > 
> > Please accept the attached 'nautilus' debdiff for stretch-security.
> > 
> > Info:
> > 
> > The debdiff is a backport of the fix from upstream[1] and includes
> > translations
> > for the UI changes.
> > 
> > [1]: https://github.com/GNOME/nautilus/commit/1630f53481f445ada0a455e9979236
> > d3
> > 1a
> > 8d3bb0
> > 
> > Related debian bug:
> > 
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860268
> > 
> > Related upstream bug:
> > 
> > https://bugzilla.gnome.org/show_bug.cgi?id=777991
> > 
> > Related CVE:
> > 
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14604
> > 
> > Debian security tracker:
> > 
> > https://security-tracker.debian.org/tracker/CVE-2017-14604
> > 
> > Regards
> > 
> > Phil
> > 
> 
> 


Oops... Massive sleep derived error. debdiff has been forwarded to security team
on another email that did not have a massive recipient list and had them on it.

Apologies for the error.

Regards

Phil
 
-- 
*** If this is a mailing list, I am subscribed, no need to CC me.***

Playing the game for the games sake.

Web: https://kathenas.org

GitLab: https://gitlab.com/kathenas

Twitter: kathenasorg

Instagram: kathenasorg

GPG: 1B97 6556 913F 73F3 9C9B 25C4 2961 D9B6 2017 A57A

[signature.asc (application/pgp-signature, inline)]

---

Message #139 received at 860268@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Sat, 2017-09-23 at 01:38 +0100, Phil Wyett wrote:
> Hi Security Team,
> > 
> > Please accept the attached 'nautilus' debdiff for stretch-security.
> > 
> > Info:
> > 
> > The debdiff is a backport of the fix from upstream[1] and includes
> > translations
> > for the UI changes.
> > 
> > [1]: https://github.com/GNOME/nautilus/commit/1630f53481f445ada0a455e9979236d3
> > 1a
> > 8d3bb0

Hi Phil,

the debdiff looks good, but please use +deb9u1 as suffix for the version
number. You may then proceed with the upload to security-master.

Note that since it's the first nautilus security upload to stretch it needs to
be build with -sa.

You can safely upload a source-only upload, but you need to remove the
.buildinfo from the changes file before uploading.

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

---

Message #144 received at 860268@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Thu, 2017-10-05 at 21:42 +0200, Yves-Alexis Perez wrote:
> On Sat, 2017-09-23 at 01:38 +0100, Phil Wyett wrote:
> > Hi Security Team,
> > > 
> > > Please accept the attached 'nautilus' debdiff for stretch-security.
> > > 
> > > Info:
> > > 
> > > The debdiff is a backport of the fix from upstream[1] and includes
> > > translations
> > > for the UI changes.
> > > 
> > > [1]: https://github.com/GNOME/nautilus/commit/1630f53481f445ada0a455e997
> > > 9236d3
> > > 1a
> > > 8d3bb0
> 
> Hi Phil,
> 
> the debdiff looks good, but please use +deb9u1 as suffix for the version
> number. You may then proceed with the upload to security-master.
> 
> Note that since it's the first nautilus security upload to stretch it needs
> to
> be build with -sa.
> 
> You can safely upload a source-only upload, but you need to remove the
> .buildinfo from the changes file before uploading.

I'll take care of the upload. Do you intend to backport the patches to Jessie?

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

---

Message #149 received at 860268@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Sat, 2017-10-07 at 21:06 +0200, Yves-Alexis Perez wrote:
> On Thu, 2017-10-05 at 21:42 +0200, Yves-Alexis Perez wrote:
> > On Sat, 2017-09-23 at 01:38 +0100, Phil Wyett wrote:
> > > Hi Security Team,
> > > > 
> > > > Please accept the attached 'nautilus' debdiff for stretch-security.
> > > > 
> > > > Info:
> > > > 
> > > > The debdiff is a backport of the fix from upstream[1] and includes
> > > > translations
> > > > for the UI changes.
> > > > 
> > > > [1]: https://github.com/GNOME/nautilus/commit/1630f53481f445ada0a455e997
> > > > 9236d3
> > > > 1a
> > > > 8d3bb0
> > 
> > Hi Phil,
> > 
> > the debdiff looks good, but please use +deb9u1 as suffix for the version
> > number. You may then proceed with the upload to security-master.
> > 
> > Note that since it's the first nautilus security upload to stretch it needs
> > to
> > be build with -sa.
> > 
> > You can safely upload a source-only upload, but you need to remove the
> > .buildinfo from the changes file before uploading.
> 
> I'll take care of the upload. Do you intend to backport the patches to Jessie?
> 
> Regards,

Hi,

I will look at it. But, I just know it will be a nightmare if possible at all. I
shall add info to the bug report probably mod next week.

Regards

Phil
 
-- 
*** If this is a mailing list, I am subscribed, no need to CC me.***

Playing the game for the games sake.

Web: https://kathenas.org

GitLab: https://gitlab.com/kathenas

Twitter: kathenasorg

Instagram: kathenasorg

GPG: 1B97 6556 913F 73F3 9C9B 25C4 2961 D9B6 2017 A57A

[signature.asc (application/pgp-signature, inline)]

---

Message #154 received at 860268-close@bugs.debian.org (full text, mbox, reply):

Source: nautilus
Source-Version: 3.22.3-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
nautilus, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 860268@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yves-Alexis Perez <corsac@debian.org> (supplier of updated nautilus package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 07 Oct 2017 20:59:16 +0200
Source: nautilus
Binary: nautilus libnautilus-extension1a libnautilus-extension-dev gir1.2-nautilus-3.0 nautilus-data
Architecture: source
Version: 3.22.3-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Yves-Alexis Perez <corsac@debian.org>
Description:
 gir1.2-nautilus-3.0 - libraries for nautilus components - gir bindings
 libnautilus-extension-dev - libraries for nautilus components - development version
 libnautilus-extension1a - libraries for nautilus components - runtime version
 nautilus   - file manager and graphical shell for GNOME
 nautilus-data - data files for nautilus
Closes: 860268
Changes:
 nautilus (3.22.3-1+deb9u1) stretch-security; urgency=high
 .
   [ Phil Wyett ]
   * CVE-2017-14604: desktop_file_trust.patch
     + Spoof a file type by using the .desktop file extension, as demonstrated
       by an attack in which a .desktop file's Name field ends in .pdf but
       this file's Exec field launches a malicious "sh -c" command.
       (Closes: #860268).
       - Initial patch by Phil Wyett <philwyett@kathenas.org>
       - Translations additions by Donncha O'Cearbhaill <donncha@donncha.is>
 .
   [ Yves-Alexis Perez ]
   * Non-maintainer upload by the Security Team.
Checksums-Sha1:
 1cee9c7dc0bc1cd2ac4f8be85a3b4ef1e0d1566c 2599 nautilus_3.22.3-1+deb9u1.dsc
 b3ba6c79d90ca6c875503a33b635f598ff7790e4 5104800 nautilus_3.22.3.orig.tar.xz
 c1d44ad5e4805e781f26661bd9be700c278e5575 27768 nautilus_3.22.3-1+deb9u1.debian.tar.xz
Checksums-Sha256:
 47365b9751f4e6031fd46bd3b24a4826c0a6ef188eadb81c61d19c2c71a65085 2599 nautilus_3.22.3-1+deb9u1.dsc
 64c232f743a2bae3fce3c76d5aa65e378d11bb431fefde9013162069abff4e22 5104800 nautilus_3.22.3.orig.tar.xz
 e0e49aab49c5453558c39bb2a89ec61f550ca004525037917b65f8d2263c2c67 27768 nautilus_3.22.3-1+deb9u1.debian.tar.xz
Files:
 93b8d7276ab1f0b50b40fe6b1c34466c 2599 gnome optional nautilus_3.22.3-1+deb9u1.dsc
 ba8fa4513b4ec218e411ee3ef34fda53 5104800 gnome optional nautilus_3.22.3.orig.tar.xz
 fc9f543ec5f77f40144c8ed1ac86d7a3 27768 gnome optional nautilus_3.22.3-1+deb9u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEl0WwInMjgf6efq/1bdtT8qZ1wKUFAlnZJzQACgkQbdtT8qZ1
wKVgTAf/fhLLja9335NrCNroRkp3zcNN1BXx3AglZOND43A09xxAAw+4R/09Mzpw
0tyCPNouFE7akU9KTgGYMNTsLFTiCOAwxpzygHLxjmeuiyIUFHxNKDQsFaVpiZEk
D1q/vOTgzxRWVczWW2xcaKOB/AqZxZcK/x39Ts7DVXAxYv1q5pqFbd4bwsmzItjX
zu3X9aZbHznPMxcgXYQnZVfEgKDOYzii5HsVLIFiYFvok5eogssxcmECxUI/OYWf
9BaG8sZOOPEYXJT+bk0h4l75ApxyEiCsGdDOV6VIYOyIBfwzn+0UbfTl/O0+M2a/
fXEtnbqtNOU+CXqW97UerSKWHYKJUA==
=meFK
-----END PGP SIGNATURE-----

---

Message #159 received at 860268@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Sat, 2017-10-07 at 21:06 +0200, Yves-Alexis Perez wrote:
> On Thu, 2017-10-05 at 21:42 +0200, Yves-Alexis Perez wrote:
> > On Sat, 2017-09-23 at 01:38 +0100, Phil Wyett wrote:
> > > Hi Security Team,
> > > > 
> > > > Please accept the attached 'nautilus' debdiff for stretch-security.
> > > > 
> > > > Info:
> > > > 
> > > > The debdiff is a backport of the fix from upstream[1] and includes
> > > > translations
> > > > for the UI changes.
> > > > 
> > > > [1]: https://github.com/GNOME/nautilus/commit/1630f53481f445ada0a455e997
> > > > 9236d3
> > > > 1a
> > > > 8d3bb0
> > 
> > Hi Phil,
> > 
> > the debdiff looks good, but please use +deb9u1 as suffix for the version
> > number. You may then proceed with the upload to security-master.
> > 
> > Note that since it's the first nautilus security upload to stretch it needs
> > to
> > be build with -sa.
> > 
> > You can safely upload a source-only upload, but you need to remove the
> > .buildinfo from the changes file before uploading.
> 
> I'll take care of the upload. Do you intend to backport the patches to Jessie?
> 
> Regards,

Hi all,

I have looked at both 'jessie' and 'wheezy'. Both are not affected by this
specific issue and have mechanism(s) like stretch (with update) and newer
versions of nautilus that display and require input when confronted with certain
file types.

Screenshot attached showing how 'jessie' and 'wheezy' react to the example
attack desktop file.

If someone else wished to validate this, please feel free.

Regards

Phil

-- 
*** If this is a mailing list, I am subscribed, no need to CC me.***

Playing the game for the games sake.

Web: https://kathenas.org

GitLab: https://gitlab.com/kathenas

Twitter: kathenasorg

Instagram: kathenasorg

GPG: 1B97 6556 913F 73F3 9C9B 25C4 2961 D9B6 2017 A57A

[screeenshot_jessie.png (image/png, attachment)]

[screenshot_wheezy.png (image/png, attachment)]

[signature.asc (application/pgp-signature, inline)]

---

Message #164 received at 860268@bugs.debian.org (full text, mbox, reply):

On Wed, Oct 11, 2017 at 2:34 PM, Phil Wyett <philwyett@kathenas.org> wrote:
> I have looked at both 'jessie' and 'wheezy'. Both are not affected by this
> specific issue and have mechanism(s) like stretch (with update) and newer
> versions of nautilus that display and require input when confronted with certain
> file types.

nautilus 3.22 introduced integrated (almost silent) tarball
decompression support which makes the test case for this vulnerability
a lot simpler.

Thanks,
Jeremy Bicha

---

Send a report that this bug log contains spam.

---

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:08:20 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.