Security
.desktop files and security
One of the areas of quiet cooperation between the GNOME and KDE projects is the shared specification for .desktop files. These files create a connection between an icon on the desktop and an application to be launched or file to be accessed when the icon is clicked upon by the user. The format is simple and flexible, and it allows the same desktop icons to be implemented on either desktop system.There is been an ongoing level of concern over these files, most recently voiced by Sam Watkins on the XDG mailing list. The issue that that .desktop files are, for all practical purposes, shell scripts capable of doing anything that the user can do. But they do not have to be marked as executable, and they have complete control over how they are presented on the desktop. A .desktop file can show up as a document or image file, but actually be some sort of hostile script. A user, hoping only to view a file which has shown up on the desktop, may end up running something entirely different.
A number of ways of addressing the issue have been proposed. The simplest, perhaps, is to require that .desktop files have execute permission to be launched. Since setting that bit requires an explicit action on the part of the user, a hostile icon cannot be put directly onto the desktop by, for example, a file downloaded via a web browser. Some people have objected that .desktop files are not actually executables - they cannot be run from the command line. Putting a suitable #! line at the beginning of the file would fix that, however.
Another possibility would be to mark known-good .desktop files with an extended attribute. If an attempt was made to launch an unmarked file, a suitably scary dialog would be put up and confirmation required from the user. Or, .desktop files with executable content could be restricted in the set of icons they could use, so that, at least, the fact that a program would be run would be obvious. Or some sort of global system database could keep track of the trusted .desktop files.
Perhaps the most elaborate suggestion is to run all .desktop programs (and perhaps others) in a tightly-restricted sandbox with little access to the rest of the system. With some work, the desktop environment could be reworked to make most things work transparently for users. For example, selecting a file in a file-browser dialog would grant the right to access that file to the associated application. The Plash project has made progress toward the implementation of such a system.
Which of these solutions will be adopted, if any, remains to be seen. It is not clear that everybody sees a real problem with the capabilities of .desktop files. Experience has shown, however, that even difficult and unlikely attack vectors will be exploited eventually. It would be a shame if the adoption of desktop Linux were to be held back by security concerns.
Brief items
Coverity: one bug fixed every six minutes
Coverity has sent out a press release claiming that free software projects fixed one bug every six minutes in the week following the release of the results from the company's first scan. "In seven days, the defect density for 32 open source projects analyzed dropped from 0.434 defects per thousand lines of code to 0.371 defects. Samba, a widely used open source project used to connect Linux and Windows networks, showed the fastest developer response, reducing software defects in Samba from 216 to 18 in the first seven days."
New vulnerabilities
dia: buffer overflows
| Package(s): | dia | CVE #(s): | CVE-2006-1550 | ||||||||||||||||||||
| Created: | April 3, 2006 | Updated: | May 3, 2006 | ||||||||||||||||||||
| Description: | Three buffer overflows were discovered in the Xfig file format importer. By tricking a user into opening a specially crafted .fig file with dia, an attacker could exploit this to execute arbitrary code with the user's privileges. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
horde: two remotely exploitable vulnerabilities
| Package(s): | horde | CVE #(s): | CVE-2006-1491 CVE-2006-1260 | ||||||||||||
| Created: | April 5, 2006 | Updated: | April 14, 2006 | ||||||||||||
| Description: | Versions of horde prior to 3.1.1 have two vulnerabilities, both of which are remotely exploitable: code execution in the help viewer and an input validation error which could allow read access to arbitrary files. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kaffeine: buffer overflow
| Package(s): | kaffeine | CVE #(s): | CVE-2006-0051 | ||||||||||||||||
| Created: | April 5, 2006 | Updated: | April 6, 2006 | ||||||||||||||||
| Description: | Marcus Meissner discovered that kaffeine, a media player for KDE 3, contains an unchecked buffer that can be overwritten remotely when fetching remote RAM playlists which can cause the execution of arbitrary code. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
mailman: denial of service
| Package(s): | mailman | CVE #(s): | CVE-2006-0052 | ||||||||||||||||||||
| Created: | March 30, 2006 | Updated: | June 9, 2006 | ||||||||||||||||||||
| Description: | Mailman 2.1.5 and below have a denial of service vulnerability in the Scrubber.py script. If a maliciously created message with a mime multi part format is received, mailman delivery can be stopped. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
mediawiki: cross-site scripting
| Package(s): | mediawiki | CVE #(s): | CVE-2006-1498 | ||||
| Created: | April 4, 2006 | Updated: | April 4, 2006 | ||||
| Description: | MediaWiki fails to decode certain encoded URLs correctly. By supplying specially crafted links, a remote attacker could exploit this vulnerability to inject malicious HTML or JavaScript code that will be executed in a user's browser session in the context of the vulnerable site. | ||||||
| Alerts: |
| ||||||
MySQL: logging bypass
| Package(s): | mysql | CVE #(s): | CVE-2006-0903 | ||||||||||||||||
| Created: | April 4, 2006 | Updated: | May 21, 2008 | ||||||||||||||||
| Description: | MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms via SQL queries that contain the NULL character, which are not properly handled by the mysql_real_query function. NOTE: this issue was originally reported for the mysql_query function, but the vendor states that since mysql_query expects a null character, this is not an issue for mysql_query. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
php: insecure data
| Package(s): | php | CVE #(s): | CVE-2006-1490 | ||||
| Created: | April 4, 2006 | Updated: | April 4, 2006 | ||||
| Description: | A vulnerability was discovered where the html_entity_decode() function would return a chunk of memory with length equal to the string supplied, which could include php code, php ini data, other user data, etc. | ||||||
| Alerts: |
| ||||||
samba: clear text password exposure
| Package(s): | samba | CVE #(s): | CVE-2006-1059 | ||||
| Created: | March 31, 2006 | Updated: | April 4, 2006 | ||||
| Description: | According to this Samba advisory the winbindd daemon included in Samba 3.0.21 and subsequent patch releases (3.0.21a-c) writes the clear text of server's machine credentials to its log file at level 5. The winbindd log files are world readable by default and often log files are requested on open mailing lists as tools used to debug server misconfigurations. This vulnerability has been fixed in Samba 3.0.22. | ||||||
| Alerts: |
| ||||||
storebackup: multiple vulnerabilities
| Package(s): | storebackup | CVE #(s): | CVE-2005-3146 CVE-2005-3147 CVE-2005-3148 | ||||
| Created: | April 4, 2006 | Updated: | April 4, 2006 | ||||
| Description: | Several vulnerabilities have been discovered in the backup utility
storebackup.
| ||||||
| Alerts: |
| ||||||
Page editor: Jonathan Corbet
Next page:
Kernel development>>