[pkg-wine-party] Proposed security update for gnome-exe-thumbnailer

Stephen Kitt skitt at debian.org
Tue Jul 18 07:44:33 UTC 2017


James, thanks for taking care of this!

Le 18/07/2017 03:54, James Lu a écrit :
> On 18/07/17 09:46 AM, James Lu wrote:
>> Earlier today I received a bug report about a VBScript injection issue
>> in gnome-exe-thumbnailer through specially crafted filenames. The 
>> Debian
>> bug is at https://bugs.debian.org/868705, and the reporter's PoC is at
>> http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
>> As I have commit access upstream, I fixed the bug by migrating away 
>> from
>> the VBScript-based parsing in
>> https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5,
>> and released 0.9.5 soon after.
>> For unstable, there is also a pending upload currently in mentors for
>> 0.9.5-1. https://mentors.debian.net/package/gnome-exe-thumbnailer

I see from 
that a CVE has already been requested. Should we wait for it to be 
assigned before uploading, so it can be included in the changelog?



More information about the pkg-wine-party mailing list