Bug#869676: stretch-pu: package gnome-exe-thumbnailer/0.9.4-2+deb9u1
Control: tags -1 + confirmed
On Tue, 2017-07-25 at 22:50 +0800, James Lu wrote:
> I've prepared an update to gnome-exe-thumbnailer which includes two changes
> backported from the 0.9.5 release:
>
> 1) Migrating away from insecure Wine+VBScript based parsing of .msi files to
> msitools, as part of the fix for CVE-2017-11421[1] (VBScript code injection via
> filenames containing code). This issue was marked no-dsa, so I'm sending the
> update here instead. I also adjusted the dependencies to add msitools, but IIRC
> this means that users upgrading will need to run dist-upgrade (if such a change
> is too disruptive, I will probably look at disabling version info for .msi
> files entirely).
>
> 2) Fix readability of version labels by using a dark background colour.
> Previously, the version label exe-thumbnailer adds to generated thumbnails used
> a transparent background, which shows up as white text on white with a default
> configuration.
>
> [1]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11421
Please go ahead.
Regards,
Adam
Reply to: