http://brainstorm.ubuntu.com/item/18028/ For example, they can receive the .desktop file on their email, and it's not required to give it execute permissions to run it.
In Gnome, there is a really big issue: .desktop files in ~/.local/share can overwrite the menu entry of some .desktop files in /usr/share/applications. For example, you have Synaptic. The run command specified in the .desktop file placed in /usr/share/applications is "gksu /usr/sbin/synaptic". A virus can copy this .desktop file to ~/.local/share/applications and change the run command to:
gksu /usr/sbin/synaptic. So, the user thinks that he is starting synaptic, but he is executing bad code as root as well as synaptic.
In KDE (tested in 3.5.10) there is another issue, that is fixed in Gnome: KDE doesn't check for MIME type and extension conflicts, so the user might download a file with a .pdf extension (for example), the file can have a icon of a pdf file (since it's a .desktop file, custom icon is easy to put), and click on it, thinking that it's a pdf file. But the file might execute malicious code and also copy itself in the KDE/Gnome autostart directory, or made to be run with root privileges when starting something with gksu for example.

If voting negative, please post a comment.

[76 votes] Solution #1: Basic security fixes


[135 votes] Solution #2: Require executable permissions for the .desktop files to be run


[-22 votes] Solution #3: Add an overlay icon


]]> en-us Sat, 14 Feb 2009 08:23:58 +0000 Sun, 15 Feb 2009 13:48:34 +0000 QAPoll module http://brainstorm.ubuntu.com/idea/18028/ Sun, 15 Feb 2009 13:26:05 +0000 Yes, you are right - that's a security bug. But I'm sure the rest is a suggestion rather than a bug.]]> Sun, 15 Feb 2009 13:48:34 +0000