nautilus-3.22.3-4.el7
エラータID: AXSA:2018-2543:01
リリース日:
2018/01/26 Friday - 17:19
題名:
nautilus-3.22.3-4.el7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- GNOME Nautilus は、.desktop 拡張子をもつファイル UI で適切に表示せず、
例えば、 file.pdf.desktop のようなファイルの名前が .pdf で終わり、拡張子が
.deskop であるファイルをあたかも .pdf ファイルであるかのように表示する
ため、攻撃者が、悪意のある "sh -c" コマンドを実行する可能性のある危険な
内容の .desktop ファイルのタイプを偽ることができる脆弱性があります。
(CVE-2017-14604)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2017-14604
GNOME Nautilus before 3.23.90 allows attackers to spoof a file type by using the .desktop file extension, as demonstrated by an attack in which a .desktop file's Name field ends in .pdf but this file's Exec field launches a malicious "sh -c" command. In other words, Nautilus provides no UI indication that a file actually has the potentially unsafe .desktop extension; instead, the UI only shows the .pdf extension. One (slightly) mitigating factor is that an attack requires the .desktop file to have execute permission. The solution is to ask the user to confirm that the file is supposed to be treated as a .desktop file, and then remember the user's answer in the metadata::trusted field.
GNOME Nautilus before 3.23.90 allows attackers to spoof a file type by using the .desktop file extension, as demonstrated by an attack in which a .desktop file's Name field ends in .pdf but this file's Exec field launches a malicious "sh -c" command. In other words, Nautilus provides no UI indication that a file actually has the potentially unsafe .desktop extension; instead, the UI only shows the .pdf extension. One (slightly) mitigating factor is that an attack requires the .desktop file to have execute permission. The solution is to ask the user to confirm that the file is supposed to be treated as a .desktop file, and then remember the user's answer in the metadata::trusted field.
追加情報:
N/A
ダウンロード:
SRPMS
- nautilus-3.22.3-4.el7.src.rpm
MD5: 3df51aee44e2dbe82f7833b517f17e3c
SHA-256: c20fea342e9e6597dd40c39dda0e19c490ad0a46186edb64ce16e97f524ec4e2
Size: 5.01 MB
Asianux Server 7 for x86_64
- nautilus-3.22.3-4.el7.x86_64.rpm
MD5: b66fd524f8282cef6303a197c158a0b2
SHA-256: 36420c08cfa744d5f10bab8372bfea7fa07e212425c62bfd78cb433dedd8bf92
Size: 2.84 MB - nautilus-extensions-3.22.3-4.el7.x86_64.rpm
MD5: 55cfcd5bd42005457c51ad33d55daf46
SHA-256: 22ecfc7ad757dc5db5c9e3f4f9778e563b3a5fee40a199cd1295361923175d2c
Size: 75.10 kB - nautilus-3.22.3-4.el7.i686.rpm
MD5: 72708032c09df809fd1c0c966fe765f2
SHA-256: 62649b87b67d1ec9c5c2a4202c50df4dd9926b0f641ec440d31d0ef8008d5e17
Size: 2.87 MB - nautilus-extensions-3.22.3-4.el7.i686.rpm
MD5: 56bd4b85d29812b8df3cc6613fb37e24
SHA-256: 42ba1ae8e60895be1f130b0aa640c37f46f70640e5714e218bf43ef4cde04276
Size: 74.97 kB
English