[pkg-wine-party] Proposed security update for gnome-exe-thumbnailer
James Lu
bitflip3 at gmail.com
Tue Jul 18 01:54:30 UTC 2017
Hi everyone,
Resending as I used the wrong address for pkg-wine-party
On 18/07/17 09:46 AM, James Lu wrote:
> Hi Security Team,
>
> Earlier today I received a bug report about a VBScript injection issue
> in gnome-exe-thumbnailer through specially crafted filenames. The Debian
> bug is at https://bugs.debian.org/868705, and the reporter's PoC is at
> http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
>
> As I have commit access upstream, I fixed the bug by migrating away from
> the VBScript-based parsing in
> https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5,
> and released 0.9.5 soon after.
>
> For unstable, there is also a pending upload currently in mentors for
> 0.9.5-1. https://mentors.debian.net/package/gnome-exe-thumbnailer
>
> For stretch, my proposed fix backports the above commit as a patch and
> adds a recommend on msitools. The update is in the pkg-wine Git repo,
> but I don't have a stretch machine to test it on (I'm on vacation right
> now):
> https://anonscm.debian.org/git/pkg-wine/gnome-exe-thumbnailer.git/log/?h=stretch-proposed
>
> The PoC was linked directly in the bug report, so the issue is now
> public. I do believe though that the impact is low because it requires
> somehow obtaining an .msi file with a very strange name, and requires a
> Wine configuration (possibly with a specific winetricks setup) to be
> already set up. There is no CVE identifier as far as I know.
>
> Best,
> James
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-wine-party/attachments/20170718/4e95ee27/attachment.sig>
More information about the pkg-wine-party
mailing list