[pkg-wine-party] Bug#868737: marked as done (gnome-exe-thumbnailer: unsafe use of /tmp)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 21 Aug 2017 10:00:11 +0000
with message-id <E1djjVD-000Fe3-BR@fasolo.debian.org>
and subject line Bug#868737: fixed in exe-thumbnailer 0.10.0-1
has caused the Debian Bug report #868737,
regarding gnome-exe-thumbnailer: unsafe use of /tmp
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
868737: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868737
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: gnome-exe-thumbnailer: unsafe use of /tmp
• From: Ansgar Burchardt <ansgar@debian.org>
• Date: Tue, 18 Jul 2017 09:31:36 +0200
• Message-id: <150036309602.4678.11212632909583756377.reportbug@deep-thought.43-1.org>

Package: gnome-exe-thumbnailer
Version: 0.9.4-2
Severity: important
Tags: security upstream

gnome-exe-thumbnailer creates temporary files in /tmp using `mktemp`
(e.g. ${TEMPFILE1}), but also uses those names with a suffix
(e.g. ${TEMPFILE1}.vbs) which is not safe to do.

Examples are (from [1]):

+---
| # Try to extract all icons:
| icotool --extract $TEMPFILE1 -o /tmp
|
| # There's always a 32x32x32 icon in "Vista" icons, but just to be sure:
| [ -s ${TEMPFILE1}_${INDEX}_32x32x${BITDEPTH}.png ] && ICON=${TEMPFILE1}_${INDEX}_32x32x${BITDEPTH}.png
+---( lines 264--268 )

+---
| DISPLAY=NONE wine cscript.exe //E:vbs //NoLogo Z:\\tmp\\${TEMPFILE1##*/}.vbs 2>/dev/null \
+---( line 374 )

The latter seems to be gone with the upstream changes for #868705.

It also removes all files whose name starts with ${TEMPFILE1} which
might in theory also be ones it did not create:

+---
| rm $TEMPFILE1* $TEMPFILE2 $TEMPTHUMB
+---( line 407 )

Using a temporary directory (`mktemp -d`) instead of just files should
help avoid these issues.  It should probably also quit early in case
`mktemp` failed.

Ansgar

  [1] <http://sources.debian.net/src/gnome-exe-thumbnailer/0.9.4-2/usr/bin/gnome-exe-thumbnailer>

--- End Message ---

--- Begin Message ---

• To: 868737-close@bugs.debian.org
• Subject: Bug#868737: fixed in exe-thumbnailer 0.10.0-1
• From: James Lu <bitflip3@gmail.com>
• Date: Mon, 21 Aug 2017 10:00:11 +0000
• Message-id: <E1djjVD-000Fe3-BR@fasolo.debian.org>

Source: exe-thumbnailer
Source-Version: 0.10.0-1

We believe that the bug you reported is fixed in the latest version of
exe-thumbnailer, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 868737@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Lu <bitflip3@gmail.com> (supplier of updated exe-thumbnailer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 12 Aug 2017 18:23:36 -0700
Source: exe-thumbnailer
Binary: exe-thumbnailer gnome-exe-thumbnailer
Architecture: source all
Version: 0.10.0-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Wine Party <pkg-wine-party@lists.alioth.debian.org>
Changed-By: James Lu <bitflip3@gmail.com>
Description:
 exe-thumbnailer - Windows executable (.exe, etc.) thumbnailer for Linux desktops
 gnome-exe-thumbnailer - transitional dummy package for exe-thumbnailer
Closes: 868737
Changes:
 exe-thumbnailer (0.10.0-1) experimental; urgency=medium
 .
   * New upstream release.
     - Fix insecure /tmp usage caused by suffixed files (Closes: #868737)
     - Prefer XDG_CACHE_HOME instead of the legacy ~/.thumbnails (LP: #1105796)
     - Switch to lnkinfo for .lnk parsing. This adds liblnk-utils to recommends
       in place of wine-tools.
     - Updated Moka icon set, patch from Alfredo Hernández (LP: #1404744)
   * New package name: gnome-exe-thumbnailer is now exe-thumbnailer
     - Move watch file, homepage links to the new repository link
   * Update years and authors in debian/copyright
   * Removed debian/gnome-exe-thumbnailer.1; it is superseded by the manpage
     provided upstream.
Checksums-Sha1:
 b74a9491ebf9ebe458617f3d056e25be6d5b5ab6 2085 exe-thumbnailer_0.10.0-1.dsc
 c21b51f1c33ac876d31ddf2e035e04d89bcb14b8 84948 exe-thumbnailer_0.10.0.orig.tar.gz
 1239beab0fb35f6300d872698e9aecab6505e022 4784 exe-thumbnailer_0.10.0-1.debian.tar.xz
 22ca682034add96df693829c2b37755994e61038 48240 exe-thumbnailer_0.10.0-1_all.deb
 a333050c3df8a544bb6d9c059679385d053b1a6a 5654 exe-thumbnailer_0.10.0-1_amd64.buildinfo
 023759b53b63306066219b8f32b2264a14f59866 5392 gnome-exe-thumbnailer_0.10.0-1_all.deb
Checksums-Sha256:
 d188e652315db812601ee875a7562ad86e8f785a7efc08dc6ad616a73f94fc1d 2085 exe-thumbnailer_0.10.0-1.dsc
 b1f856d7e88ac5d99e3f6e65f0a230bd25d2a2b8f63dca73c53bf087f6d0a322 84948 exe-thumbnailer_0.10.0.orig.tar.gz
 62db847ff07cdd0be912f41c7a567cd3b0b2c7ee2a8b35156db97a80987670cd 4784 exe-thumbnailer_0.10.0-1.debian.tar.xz
 eed3f78debca0ab35b7c804dea82cf07743329b5ce2c90045e107df95f37d911 48240 exe-thumbnailer_0.10.0-1_all.deb
 8dc3ff65d24cc027a90d301365000bfd314d9cbba804dde4ad6a756cdcbddf93 5654 exe-thumbnailer_0.10.0-1_amd64.buildinfo
 fda5ab4980880bdfce619fbb724b365ae5511d39a7c13c6a9ccf031ebadb0635 5392 gnome-exe-thumbnailer_0.10.0-1_all.deb
Files:
 211b5be3ce8e120408bd82327907a3f9 2085 gnome optional exe-thumbnailer_0.10.0-1.dsc
 943c9287729404c229d99cc7d22bde7a 84948 gnome optional exe-thumbnailer_0.10.0.orig.tar.gz
 61336e698da52777d3262cf130850b52 4784 gnome optional exe-thumbnailer_0.10.0-1.debian.tar.xz
 8576e8dbf75a82c453c28c7c9092ae4d 48240 gnome optional exe-thumbnailer_0.10.0-1_all.deb
 fb911775d5bdce901d31e29944a698a9 5654 gnome optional exe-thumbnailer_0.10.0-1_amd64.buildinfo
 13d08790e46146a83f8f751d29d3db24 5392 oldlibs extra gnome-exe-thumbnailer_0.10.0-1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEednFjFDWtapl1TDBdZd4qaNrSU8FAlmYIXsACgkQdZd4qaNr
SU+pLg//a30TsOTrMjvI0j+sSncKJm6lgMIBiURCKNqbekjxieI41OKpaoJXaXaM
v7XzEE/B5XUT3HQz8VdojxUA4w516oBZx1jkLmNVLFmPKJ9U9/recSuSmU7XEUNG
yUuXCm4CTGVf0QJTfAZNVcEQVuFIkp8WvHD8Lx49bDQf0jD8NH4K6wUdrONu+E1A
f0biMd/Ik0D1vNEMO3+zF/erYQAAAEZ/DQvSBOZSk+kP95zfIGy4A2kepHHyTcTO
lbp5BaKWt2tZ1flVAdlraa9ImKXyLIpM/VRn8hpy/Mcx2Lt3OAnYGoD3e+80mQH5
79BeEcR8kWzTHwwPVP5Un4qtp+1KiI5nf43ARaaBxp+mgm459VZxHrs6jIQCdCb/
wx1Leae0q4Ap6XPOaoMiesNnzld2GME2PkkcjPHaqnZAH7xWE4LnM/5s1TnSjyuM
V37jLDRuyEBta3ciBoWQFE+IgEcc2YflUJt0nQDMOiu7MJlFyORDBAebyfSEUrt0
lVEwxR+IVlU/aUbOn4mbr59/1FUh9gjCB0H8PgkMjxwIqRdSINWa4r3eD4mfDUnB
uUmfUYRDQ49LuQOsVGPOsfeL+CgK+uEv6FDn1gjycn5B5B7RYkAQVxnfknU1qHaA
etF0B2sH7gDLCj/iLtNzkcGPks+5kACJtstfWwdOYloL94wnZl4=
=SuRZ
-----END PGP SIGNATURE-----

--- End Message ---