Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Threat To GNOME and KDE

Posted by timothy on from the turducken dept.

commandlinegamer writes "foobar posted on his blog recently about 'How to write a Linux virus in 5 easy steps,' detailing potential malware infection risks in the .desktop file format used by GNOME and KDE. This is not a new threat, and it appears to still be a risk, as discussions in 2006 did not seem to come to any firm conclusion on how to deal with the problem." There's a followup on LWN.

4 of 348 comments (clear)

  1. Re:Protect your self with encryption by JesseMcDonald · · Score: 5, Informative

    Why do shortcuts need to have the ability to run code?

    The shortcut only contains parameters for the path to the application and a list of parameters; it doesn't run any code itself. The problem is that the application can be (e.g.) /usr/bin/perl, and the parameters "-e 'perl code here'". Removing this ability would seriously impact the usefulness of the shortcuts.

    The real issue is that the DEs are blindly trusting a non-executable file of unknown source to provide this information. The solution has already been suggested: turn all .desktop files into scripts (via a #! line, which is already valid comment syntax), mark them as executable, and have the DE run them like any other executable file. Non-executable .desktop files which link to applications would be displayed as usual, but would be treated as documents rather than launchers.

    --
    "The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
  2. Did you even RTFA? by brunes69 · · Score: 4, Informative

    He is not talking about shell scripts at all. The whole point of the article is a .desktop file does not need to be +x to execute it, KDE and Gnome execute commands in it automatically regardless. So all they have to do is save it and click on it.

  3. Re:Protect your self with encryption by Ed+Avis · · Score: 4, Informative

    Yeah it's pretty straightforward: if the executable bit is not set then the file is merely *displayed* as a plain text file. If the executable bit is set then it is *run*.

    That means you cannot simply save an attachment from a message and run it. You can however display it, which is fine.

    Everything works like this except for .desktop files, which because of an oversight, default to *running* on double-click even if not marked executable. Hence the attack vector. It is made nastier by the fact that .desktop files can disguise themselves with a name and icon of their choosing.

    --
    -- Ed Avis ed@membled.com
  4. They won't listen by diegocgteleline.es · · Score: 4, Informative

    I filed a bug warning of this security problem on March, 2005. Final answer of the developers after taking it to the freedesktop lists: WONTFIX. So, what's the point of reporting bugs?...

    The fix is easy, only interpret .desktop files IFF they have the +x bit set (IOW, apply the regular UNIX semantics). It shouldn't take more than a few lines in Gnome and KDE to fix it, and distros can easily modify the scripts to make all the .desktop files +x-