[pkg-wine-party] Proposed security update for gnome-exe-thumbnailer
Stephen Kitt
skitt at debian.org
Tue Jul 18 07:44:33 UTC 2017
Hi,
James, thanks for taking care of this!
Le 18/07/2017 03:54, James Lu a écrit :
> On 18/07/17 09:46 AM, James Lu wrote:
>> Earlier today I received a bug report about a VBScript injection issue
>> in gnome-exe-thumbnailer through specially crafted filenames. The
>> Debian
>> bug is at https://bugs.debian.org/868705, and the reporter's PoC is at
>> http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
>>
>> As I have commit access upstream, I fixed the bug by migrating away
>> from
>> the VBScript-based parsing in
>> https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5,
>> and released 0.9.5 soon after.
>>
>> For unstable, there is also a pending upload currently in mentors for
>> 0.9.5-1. https://mentors.debian.net/package/gnome-exe-thumbnailer
I see from
https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5
that a CVE has already been requested. Should we wait for it to be
assigned before uploading, so it can be included in the changelog?
Regards,
Stephen
More information about the pkg-wine-party
mailing list