23197 – lxde asking at desktop-files "execute files"

Bug 23197 - lxde asking at desktop-files "execute files"

Summary: lxde asking at desktop-files "execute files"

Status:	RESOLVED INVALID

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	RPM Packages (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Nicolas Salguero
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2018-06-18 14:11 CEST by Marc Krämer
Modified:	2018-06-20 14:55 CEST (History)
CC List:	1 user (show)

See Also:
Source RPM:	lxde-common-0.99.2-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Marc Krämer 2018-06-18 14:11:58 CEST

since some of the last updates lxde asks (e.g.) "The textfile PCManFM is executeable. What do you want to do?" Execute, Abort, Start in terminal, Open

I have this on any desktop file which is not executed by the menu. E.g. clicking the default "Shutdown Icon" asks the same question.

This behaviour was introduced by any of the updates. I haven't had this after installing mga6.

Marja Van Waes 2018-06-18 16:54:02 CEST

CC: (none) => marja11
Assignee: bugsquad => nicolas.salguero

Comment 1 Nicolas Salguero 2018-06-19 15:15:08 CEST

Hi,

This behaviour was introduced in version 1.3.0 of libfm/pcmanfm as a response to CVE-2017-14604.

Best regards,

Nico.

Comment 2 Marc Krämer 2018-06-19 15:50:29 CEST

Hi Nico,
but this behaviour is true for all files. e.g. in ~/.config/lxpanel/LXDE/panels/panel I have:
Plugin {
  type=launchbar
  Config {
    Button {
      id=/usr/share/applications/mate-terminal.desktop
    }
  }
}

ll /usr/share/applications/mate-terminal.desktop
-rw-r--r-- 1 root root 10659 Mai 17  2017 /usr/share/applications/mate-terminal.desktop

so the desktop file itself IS NOT executeable, but the application itself is.

But lxde keeps asking if I want to execute the textfile <MATE-Terminal>

Comment 3 Nicolas Salguero 2018-06-19 16:52:58 CEST

Regarding lxpanel, I found that removing the path solve the problem (eg: replace "id=/usr/share/applications/mate-terminal.desktop" by "id=mate-terminal.desktop")

Comment 4 Marc Krämer 2018-06-19 17:13:18 CEST

this file was "generated", by using the graphical interface. I was just giving you an example.

I think, by removing the path, the file is not found by that routine which checks for executeable files. This may show another volunerability. But at least the check has to end in case a destination file is not a ".desktop" file.

Comment 5 Nicolas Salguero 2018-06-20 09:50:05 CEST

To solve CVE-2017-14604, the upstream project decided that, for every .desktop file, the user will be asked what he/she wants to do except in one case: if the .desktop file is of type "Link" and the pointed URL is a desktop file that is in /usr/share/applications (the type of desktop file you can have if you right-click on a menu entry and click on "Add to desktop").

Regarding lxpanel, I think the program that allows the user to modify the list of applications in launch bars may need to be updated to remove /usr/share/applications to match the behaviour of a menu entry.

Comment 6 Marc Krämer 2018-06-20 14:55:17 CEST

I see, so I have to update all my "old" .desktop files, to match the new behaviour.

I've tested lxpanel editor, it works as you say, but it does not update previously created items.

Thank you for the explanation. It was not obvious to me, why this happend.

Status: NEW => RESOLVED
Resolution: (none) => INVALID

Note You need to log in before you can comment on or make changes to this bug.