[pkg-wine-party] Proposed security update for gnome-exe-thumbnailer

James Lu bitflip3 at gmail.com
Tue Jul 18 11:38:13 UTC 2017

Got it, thanks!


On 18/07/17 07:28 PM, Sébastien Delafond wrote:
> On Jul/18, James Lu wrote:
>> I'll admit that my initial guess of the bug's severity was a bit
>> rushed.  Upon thinking about it more, I do feel that this bug /could/
>> be reliability exploited. I have these thoughts in particular:
>> 1) I can think of a few ways that a strangely named file with code
>> inside it could make its way onto a system: crafted download links,
>> maliciously prepared storage (USB sticks, etc.), and archives with
>> such a file inside them. In these cases, a bit of social engineering
>> could induce a user into browsing to a folder with the file (which is
>> a seemingly innocuous action by itself) and triggering the exploit.
>> 2) However, VBScript is a pretty niche language AFAIK, and there's
>> almost no use of it whatsoever outside Windows. Therefore, any
>> attempts to exploit this would indicate a substantially targeted
>> attack.  Originally, this was the only reason why I thought this bug
>> would be low impact.
>> 3) This is my first time actively dealing with a security fix myself,
>> so I really don't want to be misjudging the severity of any
>> exploit. Trying to imagine the potential impact closely makes me
>> paranoid, and at this point I'm fairly uncertain what the right
>> severity is. With this info in mind, I humbly request a second opinion
>> :)
> I agree it's not extremely difficult to fool someone into visiting a
> folder containing the pathologic MSI file, but the fact you need a
> working wine setup already in place heavily mitigates the severity. We
> therefore still consider this one to be low-severity/no-dsa.
> Cheers,
> --Seb

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-wine-party/attachments/20170718/f094dada/attachment-0001.sig>

More information about the pkg-wine-party mailing list