[pkg-wine-party] Bug#868737: gnome-exe-thumbnailer: unsafe use of /tmp

Ansgar Burchardt ansgar at debian.org
Tue Jul 18 07:31:36 UTC 2017

Package: gnome-exe-thumbnailer
Version: 0.9.4-2
Severity: important
Tags: security upstream

gnome-exe-thumbnailer creates temporary files in /tmp using `mktemp`
(e.g. ${TEMPFILE1}), but also uses those names with a suffix
(e.g. ${TEMPFILE1}.vbs) which is not safe to do.

Examples are (from [1]):

| # Try to extract all icons:
| icotool --extract $TEMPFILE1 -o /tmp
| # There's always a 32x32x32 icon in "Vista" icons, but just to be sure:
| [ -s ${TEMPFILE1}_${INDEX}_32x32x${BITDEPTH}.png ] && ICON=${TEMPFILE1}_${INDEX}_32x32x${BITDEPTH}.png
+---( lines 264--268 )

| DISPLAY=NONE wine cscript.exe //E:vbs //NoLogo Z:\\tmp\\${TEMPFILE1##*/}.vbs 2>/dev/null \
+---( line 374 )

The latter seems to be gone with the upstream changes for #868705.

It also removes all files whose name starts with ${TEMPFILE1} which
might in theory also be ones it did not create:

+---( line 407 )

Using a temporary directory (`mktemp -d`) instead of just files should
help avoid these issues.  It should probably also quit early in case
`mktemp` failed.


  [1] <http://sources.debian.net/src/gnome-exe-thumbnailer/0.9.4-2/usr/bin/gnome-exe-thumbnailer>

More information about the pkg-wine-party mailing list