nautilus-3.22.3-4.el7

Nautilus is the file manager and graphical shell for the GNOME desktop.

Security Fix(es):

* An untrusted .desktop file with executable permission set could choose its displayed name and icon, and execute commands without warning when opened by the user. An attacker could use this flaw to trick a user into opening a .desktop file disguised as a document, such as a PDF, and execute arbitrary commands. (CVE-2017-14604)

Note: This update will change the behavior of Nautilus. Nautilus will now prompt the user for confirmation when executing an untrusted .desktop file for the first time, and then add it to the trusted file list. Desktop files stored in the system directory, as specified by the XDG_DATA_DIRS environment variable, are always considered trusted and executed without prompt.

CVE-2017-14604
GNOME Nautilus before 3.23.90 allows attackers to spoof a file type by
using the .desktop file extension, as demonstrated by an attack in
which a .desktop file's Name field ends in .pdf but this file's Exec
field launches a malicious "sh -c" command. In other words, Nautilus
provides no UI indication that a file actually has the potentially
unsafe .desktop extension; instead, the UI only shows the .pdf
extension. One (slightly) mitigating factor is that an attack requires
the .desktop file to have execute permission. The solution is to ask
the user to confirm that the file is supposed to be treated as a
.desktop file, and then remember the user's answer in the
metadata::trusted field.