Package: kdebase-bin Version: 4:3.5.9.dfsg.1-6 Severity: grave hello, as pointed out in http://www.geekzone.co.nz/foobar/6229 , at the moment KDE and gnome desktop allow to execute code by reading and interpreting a so called .desktop files which are launchers files without them being executable.
This "feature" gives a malicious user the ability to make you download and execute malicious code without being aware . Scenario : Attacker Alice knows that Bob runs kde so she sends to him an email with an attachment as the one included here . The attachment is by default saved in a default location which for many users is ~/Desktop . Later Bob looks on the Desktop but it doesn't found any README file, instead it founds a strange file with an appealing name, it double clicks it but instead of launching the expected application the program execute a small script that download install and execute malicious code on the box. Problem: Bob has been framed because he executed a program without being aware of it. Solution: Change .desktop file to execute the command inside only if they have +x bit or - better - change those launcher files so that the first line would be #!/usr/bin/desktop-launch, with the rest of the script following afterwards. With the execute bit set this would become merely a normal script, which is interpreted by the specified separate 'shell' or utility, rather than something integrated into the desktop This issue has already been reported to freedesktop since 2006 but it has never been solved; while i know it's not a problem specific to debian only it is something indeed that affects debian too and you should be aware. In attachment one of those launchers file which, when double clicked will execute two konquerors. Regards Samuele -- System Information: Debian Release: 5.0 APT prefers unstable APT policy: (600, 'unstable'), (550, 'testing'), (500, 'oldstable'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.27.1 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C) Shell: /bin/sh linked to /bin/bash Versions of packages kdebase-bin depends on: ii kdebase-runtime-bin-kd 4:4.1.0-2 core binaries for the KDE 4 base r ii kdelibs4c2a 4:3.5.10.dfsg.1-1 core libraries and binaries for al ii libc6 2.7-18 GNU C Library: Shared libraries ii libgcc1 1:4.3.3-4 GCC support library ii libpam-runtime 1.0.1-5 Runtime support for the PAM librar ii libpam0g 1.0.1-5 Pluggable Authentication Modules l ii libqt3-mt 3:3.3.8b-5+b1 Qt GUI Library (Threaded runtime v ii libstdc++6 4.3.3-4 The GNU Standard C++ Library v3 ii libx11-6 2:1.1.5-2 X11 client-side library ii libxcursor1 1:1.1.9-1 X cursor management library ii libxkbfile1 1:1.0.5-1 X11 keyboard file manipulation lib ii libxtst6 2:1.0.3-1 X11 Testing -- Resource extension kdebase-bin recommends no packages. Versions of packages kdebase-bin suggests: ii gdb 6.8-3 The GNU Debugger ii khelpcente 4:4.0.0.really.3.5.9.dfsg.1-6 help center for KDE -- no debconf information -- While various networks have become deeply rooted, and thoughts have been sent out as light and electrons in a singular direction, this era has yet to digitize/computerize to the degree necessary for individuals to become a singular complex entity. KOUKAKU KIDOUTAI Stand Alone Complex
[Desktop Entry] Type=Application Name=Naked Chicks 2009.ppt Exec=konqueror; konqueror Icon=/usr/share/icons/hicolor/48x48/apps/ooo-writer.png
