On Tue, 19 May 2026 20:33:45 -0400 Aaron Rainbolt <[email protected]> wrote:
> This issue was mentioned in the "On the issue of MIME handlers that > execute arbitrary code" thread [1], and was brought up three years ago > in a report about a vulnerability in Mono [2], but it looks like no > one requested a CVE ID for it, so this is a targeted report so I have > something self-contained to link to. > > PCManFM-Qt implements the standard org.freedesktop.FileManager1 D-Bus > interface [3]. The interface specification states that the > org.freedesktop.FileManager1.ShowFolders function "assumes that the > specified URIs are folders; the file manager is supposed to show a > window with the contents of each folder." I believe the spec meant to > say that this method only takes URIs pointing to folders as arguments, > but PCManFM-Qt interprets the word "assumes" literally and hands the > URIs to a routine that does a MIME handler lookup and launch. If all > of the specified URIs actually *do* point to directories, this will do > what the user expects, but if any of the URIs point to files, those > files will be opened. This can be used for a number of different > malicious purposes; most notably, if the user is unlucky enough to > have Wine installed using WineHQ's upstream packages, it allows > escaping various sandboxing mechanisms (Flatpak, Snap, etc.) by > dropping an EXE file on the disk and then pointing PCManFM-Qt to it. > (This is because WineHQ's builds of Wine ship a MIME handler for EXE > files. That handler runs EXE files blindly.) CVE-2026-48700 has been assigned to this issue. [1] -- Aaron [1] https://www.cve.org/CVERecord?id=CVE-2026-48700
pgpHAbfgaHePs.pgp
Description: OpenPGP digital signature
