[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#869676: stretch-pu: package gnome-exe-thumbnailer/0.9.4-2+deb9u1

Control: tags -1 + confirmed

On Tue, 2017-07-25 at 22:50 +0800, James Lu wrote:
> I've prepared an update to gnome-exe-thumbnailer which includes two changes
> backported from the 0.9.5 release:
> 
> 1) Migrating away from insecure Wine+VBScript based parsing of .msi files to
> msitools, as part of the fix for CVE-2017-11421[1] (VBScript code injection via
> filenames containing code). This issue was marked no-dsa, so I'm sending the
> update here instead. I also adjusted the dependencies to add msitools, but IIRC
> this means that users upgrading will need to run dist-upgrade (if such a change
> is too disruptive, I will probably look at disabling version info for .msi
> files entirely).
> 
> 2) Fix readability of version labels by using a dark background colour.
> Previously, the version label exe-thumbnailer adds to generated thumbnails used
> a transparent background, which shows up as white text on white with a default
> configuration.
> 
> [1]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11421

Please go ahead.

Regards,

Adam
Reply to: