{"id":"CVE-2017-14604","details":"GNOME Nautilus before 3.23.90 allows attackers to spoof a file type by using the .desktop file extension, as demonstrated by an attack in which a .desktop file's Name field ends in .pdf but this file's Exec field launches a malicious \"sh -c\" command. In other words, Nautilus provides no UI indication that a file actually has the potentially unsafe .desktop extension; instead, the UI only shows the .pdf extension. One (slightly) mitigating factor is that an attack requires the .desktop file to have execute permission. The solution is to ask the user to confirm that the file is supposed to be treated as a .desktop file, and then remember the user's answer in the metadata::trusted field.","modified":"2026-04-11T04:38:11.309175Z","published":"2017-09-20T08:29:00.270Z","related":["SUSE-SU-2018:1694-1","SUSE-SU-2018:2058-1"],"references":[{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-3994"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/101012"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:0223"},{"type":"ADVISORY","url":"https://github.com/freedomofpress/securedrop/issues/2238"},{"type":"REPORT","url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860268"},{"type":"REPORT","url":"https://bugzilla.gnome.org/show_bug.cgi?id=777991"},{"type":"FIX","url":"https://github.com/GNOME/nautilus/commit/bc919205bf774f6af3fa7154506c46039af5a69b"},{"type":"FIX","url":"https://github.com/GNOME/nautilus/commit/1630f53481f445ada0a455e9979236d31a8d3bb0"},{"type":"EVIDENCE","url":"https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gnome/nautilus","events":[{"introduced":"0"},{"fixed":"bc919205bf774f6af3fa7154506c46039af5a69b"},{"fixed":"1630f53481f445ada0a455e9979236d31a8d3bb0"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.23.90"}]}}],"versions":["2.27.2","2.27.4","2.27.91","2.27.92","2.28.0","2.29.1","2.29.2","2.29.90","2.29.91","2.29.92","2.29.92.1","2.30.0","2.30.1","2.31.1","2.31.2","2.31.3","2.31.4","2.31.5","2.90.1","2.91.0","2.91.0.1","2.91.1","2.91.2","2.91.3","2.91.4","2.91.5","2.91.6","2.91.7","2.91.8","2.91.9","2.91.90","2.91.90.1","2.91.91","2.91.92","2.91.93","2.91.94","3.0.0","3.1.1","3.1.2","3.1.3","3.1.4","3.1.90","3.1.92","3.10.0","3.11.2","3.11.3","3.11.90","3.11.92","3.12.0","3.13.1","3.13.2","3.13.90","3.13.91","3.13.92","3.14.0","3.15.4","3.15.90","3.15.91","3.15.92","3.16.0","3.17.2","3.17.3","3.17.90","3.17.91","3.18.0","3.18.1","3.19.2","3.2.0","3.21.91.1","3.21.92","3.22.0.1","3.22.1","3.3.1.1","3.3.3","3.3.4","3.3.5","3.3.90","3.3.91","3.3.92","3.4.0","3.5.1","3.5.2","3.5.3","3.5.4","3.5.5","3.5.90","3.5.91","3.5.92","3.6.0","3.9.3","3.9.90","3.9.91","3.9.92","BONOBO_SLAY_BRANCHPOINT","DROOLING_MACAQUE","EAZEL-NAUTILUS-MS-AUG07","EAZEL-NAUTILUS-MS-JUL12","EAZEL-NAUTILUS-MS-JULY_5","EAZEL_DEMO_1_ANCHOR","EAZEL_NAUTILUS_DEMO_2_ANCHOR","FOR_GNOME_0_99_1","GGV_0_61","GNOME_0_20","GNOME_0_20a","GNOME_0_25","GNOME_0_27","GNOME_0_28_MARTIN","GNOME_0_30","GNOME_0_99_2","GNOME_0_99_3","GNOME_0_99_7","GNOME_0_99_8","GNOME_0_99_8_1","GNOME_2_0_BRANCHPOINT","GNOME_2_10_BRANCHPOINT","GNOME_2_12_BRANCHPOINT","GNOME_2_14_BRANCHPOINT","GNOME_2_16_BRANCHPOINT","GNOME_2_2_BRANCHPOINT","GNOME_2_4_BRANCHPOINT","GNOME_2_6_BRANCHPOINT","GNOME_CORE_1_0_0_1","GNOME_CORE_1_0_1","GNOME_CORE_1_0_3","GNOME_CORE_1_0_4","GNOME_CORE_1_0_5","GNOME_CORE_1_0_6","GNOME_CORE_1_0_7","GNOME_CORE_1_0_8","GNOME_CORE_1_0_9","GNOME_CORE_1_0_ANCHOR","GNOME_CORE_1_1_0","GNOME_STABLE_ANCHOR","INITIAL","INSTALLER_PR3_ANCHOR","MULTIHEAD_BRANCHPOINT","NAUTILUS-NEW-UIH-BRANCH_ANCHOR","NAUTILUS_0_8_2","NAUTILUS_1_0_3","NAUTILUS_1_0_4","NAUTILUS_1_0_5","NAUTILUS_1_1_1","NAUTILUS_1_1_10","NAUTILUS_1_1_11","NAUTILUS_1_1_12","NAUTILUS_1_1_13","NAUTILUS_1_1_14","NAUTILUS_1_1_15","NAUTILUS_1_1_16","NAUTILUS_1_1_17","NAUTILUS_1_1_18","NAUTILUS_1_1_19","NAUTILUS_1_1_2","NAUTILUS_1_1_3","NAUTILUS_1_1_4","NAUTILUS_1_1_5","NAUTILUS_1_1_6","NAUTILUS_1_1_8","NAUTILUS_1_1_9","NAUTILUS_1_ANCHOR","NAUTILUS_2_0_1","NAUTILUS_2_0_2","NAUTILUS_2_0_3","NAUTILUS_2_0_4","NAUTILUS_2_0_6","NAUTILUS_2_10_0","NAUTILUS_2_11_1","NAUTILUS_2_11_2","NAUTILUS_2_11_3","NAUTILUS_2_11_4","NAUTILUS_2_11_90","NAUTILUS_2_11_91","NAUTILUS_2_11_92","NAUTILUS_2_12_0","NAUTILUS_2_12_1","NAUTILUS_2_13_1","NAUTILUS_2_13_2","NAUTILUS_2_13_3","NAUTILUS_2_13_4","NAUTILUS_2_13_90","NAUTILUS_2_13_91","NAUTILUS_2_13_92","NAUTILUS_2_14_0","NAUTILUS_2_14_1","NAUTILUS_2_15_1","NAUTILUS_2_15_2","NAUTILUS_2_15_4","NAUTILUS_2_15_90","NAUTILUS_2_15_91","NAUTILUS_2_15_92","NAUTILUS_2_15_92_1","NAUTILUS_2_16_0","NAUTILUS_2_16_1","NAUTILUS_2_16_2","NAUTILUS_2_16_3","NAUTILUS_2_17_1","NAUTILUS_2_17_91","NAUTILUS_2_17_92","NAUTILUS_2_18_0","NAUTILUS_2_18_0_1","NAUTILUS_2_19_2","NAUTILUS_2_19_3","NAUTILUS_2_19_4","NAUTILUS_2_19_5","NAUTILUS_2_19_6","NAUTILUS_2_19_90","NAUTILUS_2_19_91","NAUTILUS_2_1_0","NAUTILUS_2_1_1","NAUTILUS_2_1_2","NAUTILUS_2_1_3","NAUTILUS_2_1_5","NAUTILUS_2_1_6","NAUTILUS_2_1_91","NAUTILUS_2_20_0","NAUTILUS_2_21_2","NAUTILUS_2_21_5","NAUTILUS_2_21_6","NAUTILUS_2_21_90","NAUTILUS_2_21_91","NAUTILUS_2_21_92","NAUTILUS_2_22_0","NAUTILUS_2_22_1","NAUTILUS_2_23_2","NAUTILUS_2_23_3","NAUTILUS_2_23_4","NAUTILUS_2_23_5","NAUTILUS_2_23_5_1","NAUTILUS_2_23_6","NAUTILUS_2_23_6_1","NAUTILUS_2_23_90","NAUTILUS_2_23_91","NAUTILUS_2_23_92","NAUTILUS_2_24_0","NAUTILUS_2_25_1","NAUTILUS_2_25_2","NAUTILUS_2_25_3","NAUTILUS_2_25_4","NAUTILUS_2_25_91","NAUTILUS_2_25_92","NAUTILUS_2_25_93","NAUTILUS_2_26_0","NAUTILUS_2_26_1","NAUTILUS_2_26_2","NAUTILUS_2_27_1","NAUTILUS_2_2_0","NAUTILUS_2_2_0_1","NAUTILUS_2_2_0_2","NAUTILUS_2_2_1","NAUTILUS_2_2_2","NAUTILUS_2_2_3","NAUTILUS_2_3_1","NAUTILUS_2_3_2","NAUTILUS_2_3_3","NAUTILUS_2_3_4","NAUTILUS_2_3_5","NAUTILUS_2_3_6","NAUTILUS_2_3_7","NAUTILUS_2_3_8","NAUTILUS_2_3_9","NAUTILUS_2_3_90","NAUTILUS_2_4_0","NAUTILUS_2_5_0","NAUTILUS_2_5_1","NAUTILUS_2_5_1_1","NAUTILUS_2_5_2","NAUTILUS_2_5_3","NAUTILUS_2_5_5","NAUTILUS_2_5_6","NAUTILUS_2_5_7","NAUTILUS_2_5_8","NAUTILUS_2_5_90","NAUTILUS_2_5_91","NAUTILUS_2_6_0","NAUTILUS_2_6_1","NAUTILUS_2_6_2","NAUTILUS_2_6_BRANCHPOINT","NAUTILUS_2_7_2","NAUTILUS_2_7_4","NAUTILUS_2_7_92","NAUTILUS_2_8_0","NAUTILUS_2_8_1","NAUTILUS_2_8_2","NAUTILUS_2_9_1","NAUTILUS_2_9_2","NAUTILUS_2_9_90","NAUTILUS_2_9_91","NAUTILUS_2_9_92","NAUTILUS_BEFORE_REMOVING_HELP_COMPONENT","NAUTILUS_EXTENSIONS_BRANCHPOINT","NAUTILUS_EXTENSIONS_MERGEPOINT_1","NAUTILUS_NEW_MIME_BRANCHPOINT","NAUTILUS_PR2_ANCHOR","NAUTILUS_PR3_ANCHOR","NAUTILUS_SEARCH2_MERGE_ANCHOR1","NAUTILUS_SEARCH2_MERGE_ANCHOR2","NAUTILUS_SEARCH_BRANCH_ANCHOR","NAUTILUS_SPATIAL_PLAYGROUND_BRANCHPOINT","NAUTILUS_UIH_MERGE_BASE","NEW_ICON_FACTORY_BRANCHPOINT","NEW_SIDE_PANE_BRANCHPOINT","PANTING_CHIMPANZEE","POST_1_0_MERGE","PRE_1_0_MERGE","PRE_PANEL2","RAK_SOUNDVIEW_ANCHOR","REDHAT_MERGE_BRANCHPOINT","REDHAT_OUTSTANDING_PATCHES_BRANCHPOINT","V0_0","XIMIAN_SMB_ANCHOR","XIMIAN_SUN_DELIVERY_1_MERGE","before-trilobite-move","mjs_pre_great_renaming","nautilus_ms_may_31","pre-mjs-demo-bugfixes"],"database_specific":{"vanir_signatures_modified":"2026-04-11T04:38:11Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}],"vanir_signatures":[{"deprecated":false,"signature_version":"v1","id":"CVE-2017-14604-2785aa60","target":{"file":"src/nautilus-mime-actions.c","function":"activate_desktop_file"},"signature_type":"Function","digest":{"function_hash":"309799132735185724762802509550814036745","length":1566},"source":"https://github.com/gnome/nautilus/commit/1630f53481f445ada0a455e9979236d31a8d3bb0"},{"deprecated":false,"signature_version":"v1","id":"CVE-2017-14604-385b7887","target":{"file":"src/nautilus-metadata.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["101861376071783444911187113646531113429","201342266502721848640592158013579358134","68180526673229890462208279865296299867","2805155113109549374686207998037694669"]},"source":"https://github.com/gnome/nautilus/commit/1630f53481f445ada0a455e9979236d31a8d3bb0"},{"deprecated":false,"signature_version":"v1","id":"CVE-2017-14604-4f368ed5","target":{"file":"src/nautilus-directory-async.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["215979231565841146223581717011646200257","199836940441627650765713744007341038404","59656374921912195955090518635197138407","74340792419120540502693477083808030131","38241485241361998519206239342743852067","337148096108554543033909860241326615631","183813790760244058632418450448631690088","299961343275283854985875866301264944464","308714415178187217278831103173734130662","226258214535311876125814284144343439637","276478950500769646994841685912413174902","92332527031239982197136451410658956982","182666493108883016414381816565750708037"]},"source":"https://github.com/gnome/nautilus/commit/1630f53481f445ada0a455e9979236d31a8d3bb0"},{"deprecated":false,"signature_version":"v1","id":"CVE-2017-14604-63beb3cc","target":{"file":"src/nautilus-mime-actions.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["236988197846006646586416917144590686874","265203452284118796418868799776926516949","234506190252711626634489010312558242398","296566187022845660791718207862250129956","63625105774484728797344822998063787918","218943473931247721661702066093493579482","288815438718935828508638594871102158919","100827918997029154142639633047984145100","122808476356941206674259019530270759092","231201660519883900871268497774443832065","172381986250702978856307086628847961445","334897259473412999895884036450970416337","57376679322443202155008091198012794724","230690991613636974772886499812255561925","88392162367979007474069333627504187836","145212757461969222822273812810334420223","316041056664392792024770385513534541145","153985660401142409517654686309654166281","14661260415666682110788136596725383619","234519165882563618462586933842228875079","149107084449114693063710489227044088258","90328147956695966849840331544732570908","119244566870291189405476438682552830063","168205362725832513566075286253710225703","290280580961174638905222565990537883424","182977125723817363972498406906136388972","221293866692361684440875238818951901931","53105688457917999266362105330713086539","314075652086679028044914946388888811798","277526040413858765673983008190921856509","227704142676815775127123495558305485371","118460895761184915936833433832367490673","224679523285279774692557466744324162780","262774058480754140710492125042017960185","271177544097970731516807318591802101551","118492730628045712250954685193505943669","319043005967214962795103196644495832075","142961300818453769994642173571211086006","6674556942445881760195681804152370956","125217268580843677525325678693412573243","150270349112086279189558917341248301196"]},"source":"https://github.com/gnome/nautilus/commit/1630f53481f445ada0a455e9979236d31a8d3bb0"},{"deprecated":false,"signature_version":"v1","id":"CVE-2017-14604-700bf803","target":{"file":"src/nautilus-file-operations.h"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["272372407852857291271822263897798095182","328731457660834598376379337016098734845","12440035355997425241377882652986984798","9800647807451909458518903114484624584","331301918224763806476468125505247999699","167346061358972567149529392739118045714","276955777549093147641204823717268944023","212051979944114165113174383345401571373"]},"source":"https://github.com/gnome/nautilus/commit/1630f53481f445ada0a455e9979236d31a8d3bb0"},{"deprecated":false,"signature_version":"v1","id":"CVE-2017-14604-70d20204","target":{"file":"src/nautilus-mime-actions.c","function":"untrusted_launcher_response_callback"},"signature_type":"Function","digest":{"function_hash":"327231013708236988570229384005638915414","length":626},"source":"https://github.com/gnome/nautilus/commit/1630f53481f445ada0a455e9979236d31a8d3bb0"},{"deprecated":false,"signature_version":"v1","id":"CVE-2017-14604-aea870a2","target":{"file":"src/nautilus-file-operations.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["68967550487547786973195664322518757122","191040520676239296234945271169596027971","182377177138658274215090026225819687751","222420241084034903783152081135617615649","272299802598667825284220134714907712489","339386103655420034181701166164787665779","72574663838223532274818007342586154516","31409789849827899494485553842168045254","330094975355285985508160015064851419193","153844180031720411735341838420387304749","220764566661280794243996401467715505788","183591814269809751375610017483255633030","288886240223440426688522247184727913156","106565928808152662283536160836320221507","42224200713073039994009827101048673256","144765605799508765237763274736923623535","142821495571537796279330400660706529699","214637961091498583847193369084951051939","25418013883476858797281217515259295009","292444339182392838692069217770889711671","43563323359288758745282170644230004980","243041936122504166876754897991632168390","182377177138658274215090026225819687751","231011164387294694695418861014561671683","319065725310133324932478811802097243892","82858081261673910903434804844970371222","67970781948363958456170899066152178262","114079864723289657292764020329762384065","31404532345209828785212981258444934163","31123307242475512666059894087186861890","256945439036106879659374273036690998755","228260964325798498423528815382828097277","253925174498191991053579991745931127339","174777547661675185286747392929075729836","67252304164206680980830444790949965594","319820097519389783597471048920755181685","18397794113954972481854623916215730135","22796052301960290396422187590188070180","320224795815692049920019058084620880481","230188162810312361495716258069986740158","95936694965141374372149688747312902429","92229668578751137113162207938953675435","58206064873239824498373025353330895381","158636643546990548448484260916009132849","326485515642827846041605523430412569014","25745046183777088210560438076342895574","189052012635570634368558167442272801623","15623332233389358843744185902231550866","273701335646870744712457708347019231302","108068260686393436218872528547838986951","104110970265380070976631052117352040025","297108267666456947042608289063268904064","114668580293536024917541430430940776564","3703028778191069940655632748286735052","121071696576160815971134100235927756387","221887729839281636601476700453828302507","305834026605970745385774353822044910053","59873164046473312887227261027992970075","155163582142861881243164769866523631221","237655728719078074963706307494264768149","66108754770140760646562016676490812994","8770301636072180448456308381308130509","234721926048480127388354310794389411745","189671066302543066420919150447523409626","71801227137248249927393181812846307100","86654399256225472383844045670195770035","103714728294101988721850882005938212038","30438077030786120767343519212783528734","309834835085410277209481039667350172339","248487415160534129414555085900306219963","152570109902551851544364230749173808831","296611599367151204862049005317695758794","330720223951795802102883532527094152947","10908935913923695601241549380121080367","10060961117691550247490832282933707007","233976225715166464263983846858601615809","329930472367160212558598206125888267734","284488028322462462351233588223618443998","202343696662636912829763140499621480381","264433226811721931342944089769318998875","130784141469494323393904615256499902526","60997523420644507966167904842045055176","67030486017966583495878766072969012413","101300750209547405194991404461610656","183110577741100631243172753891274106974","92229668578751137113162207938953675435","58206064873239824498373025353330895381","158636643546990548448484260916009132849","326485515642827846041605523430412569014","25745046183777088210560438076342895574","189052012635570634368558167442272801623","15623332233389358843744185902231550866","273701335646870744712457708347019231302","108068260686393436218872528547838986951","104110970265380070976631052117352040025","297108267666456947042608289063268904064","114668580293536024917541430430940776564","3703028778191069940655632748286735052","121071696576160815971134100235927756387","221887729839281636601476700453828302507","305834026605970745385774353822044910053","59873164046473312887227261027992970075","155163582142861881243164769866523631221","237655728719078074963706307494264768149","66108754770140760646562016676490812994","8770301636072180448456308381308130509","234721926048480127388354310794389411745","189671066302543066420919150447523409626","71801227137248249927393181812846307100","86654399256225472383844045670195770035","140616840846825062341647428227797406990","301298848675888798065831193535748672890","301653027447916920816117682812318250152","131764711481751012525387115706220692374","321184914485547335022401945543970877272","239985924359610274885617924215764209186","15593510646420658240470844951852338134","75370303764157763697510707862685965774","248883680399288860514174356397223070741","164142797762301499600088774355194517137","272230763958284151525011857489527694623","220533378472225100356258106166034388529","253352927041448940357314678145009369326","81860380052144406676062654168022744536","252184252166578621810205892573465497758","193324126558594956415061897923804208076","278717648767814141043515626711765545545","27739574180933343280354441424412568103","188474423781595617656569289122126620535","107012617715020933953574918841346910377","22803349484011651060581496456730006799","298520259875383636507839042081727678486","146566648144078345145901850391680047888","24776786760783336655826469712866667157","65831014466438940595453736143377550247","99838413389386430255106023793372787677","319143753119232005678835305659732251553","312967030936547241668799458149009669494","212595771096992007856603184873027683815","181209879590938002987295806243894965353","119812888141142768653836679833836825180","47972278459698279997719139061377215359","134000577730669448557621861511994721291"]},"source":"https://github.com/gnome/nautilus/commit/1630f53481f445ada0a455e9979236d31a8d3bb0"},{"deprecated":false,"signature_version":"v1","id":"CVE-2017-14604-bde2f008","target":{"file":"src/nautilus-file-operations.c","function":"nautilus_file_mark_desktop_file_trusted"},"signature_type":"Function","digest":{"function_hash":"141162425861366650653440231486993719035","length":428},"source":"https://github.com/gnome/nautilus/commit/1630f53481f445ada0a455e9979236d31a8d3bb0"},{"deprecated":false,"signature_version":"v1","id":"CVE-2017-14604-c4de93f0","target":{"file":"src/nautilus-file-operations.c","function":"mark_desktop_file_trusted"},"signature_type":"Function","digest":{"function_hash":"183966888258323354892972309304852142755","length":2554},"source":"https://github.com/gnome/nautilus/commit/1630f53481f445ada0a455e9979236d31a8d3bb0"},{"deprecated":false,"signature_version":"v1","id":"CVE-2017-14604-c990e4e4","target":{"file":"src/nautilus-directory-async.c","function":"is_link_trusted"},"signature_type":"Function","digest":{"function_hash":"315953036814516254267913547474544558445","length":288},"source":"https://github.com/gnome/nautilus/commit/1630f53481f445ada0a455e9979236d31a8d3bb0"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-14604.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}]}