Bug 23197

Summary: lxde asking at desktop-files "execute files"
Product: Mageia Reporter: Marc Krämer <mageia>
Component: RPM PackagesAssignee: Nicolas Salguero <nicolas.salguero>
Status: RESOLVED INVALID QA Contact:
Severity: normal    
Priority: Normal CC: marja11
Version: 6   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: lxde-common-0.99.2-1.mga6.src.rpm CVE:
Status comment:

Description Marc Krämer 2018-06-18 14:11:58 CEST 
since some of the last updates lxde asks (e.g.) "The textfile PCManFM is executeable. What do you want to do?" Execute, Abort, Start in terminal, Open

I have this on any desktop file which is not executed by the menu. E.g. clicking the default "Shutdown Icon" asks the same question.

This behaviour was introduced by any of the updates. I haven't had this after installing mga6.
Marja Van Waes 2018-06-18 16:54:02 CEST

CC: (none) => marja11
Assignee: bugsquad => nicolas.salguero

Comment 1 Nicolas Salguero 2018-06-19 15:15:08 CEST 
Hi,

This behaviour was introduced in version 1.3.0 of libfm/pcmanfm as a response to CVE-2017-14604.

Best regards,

Nico.
Comment 2 Marc Krämer 2018-06-19 15:50:29 CEST 
Hi Nico,
but this behaviour is true for all files. e.g. in ~/.config/lxpanel/LXDE/panels/panel I have:
Plugin {
  type=launchbar
  Config {
    Button {
      id=/usr/share/applications/mate-terminal.desktop
    }
  }
}

ll /usr/share/applications/mate-terminal.desktop
-rw-r--r-- 1 root root 10659 Mai 17  2017 /usr/share/applications/mate-terminal.desktop

so the desktop file itself IS NOT executeable, but the application itself is.

But lxde keeps asking if I want to execute the textfile <MATE-Terminal>
Comment 3 Nicolas Salguero 2018-06-19 16:52:58 CEST 
Regarding lxpanel, I found that removing the path solve the problem (eg: replace "id=/usr/share/applications/mate-terminal.desktop" by "id=mate-terminal.desktop")
Comment 4 Marc Krämer 2018-06-19 17:13:18 CEST 
this file was "generated", by using the graphical interface. I was just giving you an example.

I think, by removing the path, the file is not found by that routine which checks for executeable files. This may show another volunerability. But at least the check has to end in case a destination file is not a ".desktop" file.
Comment 5 Nicolas Salguero 2018-06-20 09:50:05 CEST 
To solve CVE-2017-14604, the upstream project decided that, for every .desktop file, the user will be asked what he/she wants to do except in one case: if the .desktop file is of type "Link" and the pointed URL is a desktop file that is in /usr/share/applications (the type of desktop file you can have if you right-click on a menu entry and click on "Add to desktop").

Regarding lxpanel, I think the program that allows the user to modify the list of applications in launch bars may need to be updated to remove /usr/share/applications to match the behaviour of a menu entry.
Comment 6 Marc Krämer 2018-06-20 14:55:17 CEST 
I see, so I have to update all my "old" .desktop files, to match the new behaviour.

I've tested lxpanel editor, it works as you say, but it does not update previously created items.

Thank you for the explanation. It was not obvious to me, why this happend.

Status: NEW => RESOLVED
Resolution: (none) => INVALID