[pkg-wine-party] Proposed security update for gnome-exe-thumbnailer
James Lu
bitflip3 at gmail.com
Tue Jul 18 08:32:44 UTC 2017
Hi all,
I'll admit that my initial guess of the bug's severity was a bit rushed.
Upon thinking about it more, I do feel that this bug /could/ be
reliability exploited. I have these thoughts in particular:
1) I can think of a few ways that a strangely named file with code
inside it could make its way onto a system: crafted download links,
maliciously prepared storage (USB sticks, etc.), and archives with such
a file inside them. In these cases, a bit of social engineering could
induce a user into browsing to a folder with the file (which is a
seemingly innocuous action by itself) and triggering the exploit.
2) However, VBScript is a pretty niche language AFAIK, and there's
almost no use of it whatsoever outside Windows. Therefore, any attempts
to exploit this would indicate a substantially targeted attack.
Originally, this was the only reason why I thought this bug would be low
impact.
3) This is my first time actively dealing with a security fix myself, so
I really don't want to be misjudging the severity of any exploit. Trying
to imagine the potential impact closely makes me paranoid, and at this
point I'm fairly uncertain what the right severity is. With this info in
mind, I humbly request a second opinion :)
Best,
James
On 18/07/17 04:01 PM, Moritz Muehlenhoff wrote:
> On Tue, Jul 18, 2017 at 09:56:52AM +0200, Sébastien Delafond wrote:
>> On Jul/18, Stephen Kitt wrote:
>>> I see from
>>> https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5
>>> that a CVE has already been requested. Should we wait for it to be
>>> assigned before uploading, so it can be included in the changelog?
>>
>> Yes, it would be best if the changelog could mention it.
>>
>> As for stretch, we don't feel this warrants a DSA. Instead, you'll want
>> to schedule a fix via stable-proposed-updates.
>
> Agreed, as already suggested by James in his initial mail this is low
> impact.
>
> Cheers,
> Moritz
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-wine-party/attachments/20170718/ee736c8f/attachment.sig>
More information about the pkg-wine-party
mailing list