[pkg-wine-party] Proposed security update for gnome-exe-thumbnailer

James Lu bitflip3 at gmail.com
Tue Jul 18 11:37:31 UTC 2017


Got it, thanks!

James

On 18/07/17 07:28 PM, Sébastien Delafond wrote:
> On Jul/18, James Lu wrote:
>> I'll admit that my initial guess of the bug's severity was a bit
>> rushed.  Upon thinking about it more, I do feel that this bug /could/
>> be reliability exploited. I have these thoughts in particular:
>>
>> 1) I can think of a few ways that a strangely named file with code
>> inside it could make its way onto a system: crafted download links,
>> maliciously prepared storage (USB sticks, etc.), and archives with
>> such a file inside them. In these cases, a bit of social engineering
>> could induce a user into browsing to a folder with the file (which is
>> a seemingly innocuous action by itself) and triggering the exploit.
>>
>> 2) However, VBScript is a pretty niche language AFAIK, and there's
>> almost no use of it whatsoever outside Windows. Therefore, any
>> attempts to exploit this would indicate a substantially targeted
>> attack.  Originally, this was the only reason why I thought this bug
>> would be low impact.
>>
>> 3) This is my first time actively dealing with a security fix myself,
>> so I really don't want to be misjudging the severity of any
>> exploit. Trying to imagine the potential impact closely makes me
>> paranoid, and at this point I'm fairly uncertain what the right
>> severity is. With this info in mind, I humbly request a second opinion
>> :)
> 
> I agree it's not extremely difficult to fool someone into visiting a
> folder containing the pathologic MSI file, but the fact you need a
> working wine setup already in place heavily mitigates the severity. We
> therefore still consider this one to be low-severity/no-dsa.
> 
> Cheers,
> 
> --Seb
> 



More information about the pkg-wine-party mailing list