[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#869676: marked as done (stretch-pu: package gnome-exe-thumbnailer/0.9.4-2+deb9u1)

Your message dated Sat, 07 Oct 2017 11:33:55 +0100
with message-id <1507372435.18586.64.camel@adam-barratt.org.uk>
and subject line Closing bugs for 9.2 point release
has caused the Debian Bug report #869676,
regarding stretch-pu: package gnome-exe-thumbnailer/0.9.4-2+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
869676: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869676
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi Release Team,

I've prepared an update to gnome-exe-thumbnailer which includes two changes
backported from the 0.9.5 release:

1) Migrating away from insecure Wine+VBScript based parsing of .msi files to
msitools, as part of the fix for CVE-2017-11421[1] (VBScript code injection via
filenames containing code). This issue was marked no-dsa, so I'm sending the
update here instead. I also adjusted the dependencies to add msitools, but IIRC
this means that users upgrading will need to run dist-upgrade (if such a change
is too disruptive, I will probably look at disabling version info for .msi
files entirely).

2) Fix readability of version labels by using a dark background colour.
Previously, the version label exe-thumbnailer adds to generated thumbnails used
a transparent background, which shows up as white text on white with a default
configuration.

[1]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11421

The debdiff is attached.

Best,
James

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (700, 'testing'), (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.11.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8),
LANGUAGE=en_CA:en (charmap=UTF-8)

diff -Nru gnome-exe-thumbnailer-0.9.4/debian/changelog gnome-exe-thumbnailer-0.9.4/debian/changelog
--- gnome-exe-thumbnailer-0.9.4/debian/changelog	2016-12-12 04:55:32.000000000 +0800
+++ gnome-exe-thumbnailer-0.9.4/debian/changelog	2017-07-25 22:28:41.000000000 +0800
@@ -1,3 +1,17 @@
+gnome-exe-thumbnailer (0.9.4-2+deb9u1) stretch; urgency=high
+
+  * Add patch switch-to-msiinfo.patch:
+    - Switch to msitools' msiinfo for ProductVersion fetching, replacing the
+      insecure VBScript-based parsing as described at
+      http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
+      (Closes: #868705; LP: #651610; CVE-2017-11421)
+  * Add msitools to recommends; it is now used to fetch .msi version info.
+  * Add patch fix-version-label-readability.patch backported from
+    https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1cf4df81836985d9660f950287232b3255ee17bb
+    to fix unreadable white-on-white text on version labels.
+
+ -- James Lu <bitflip3@gmail.com>  Tue, 25 Jul 2017 07:28:41 -0700
+
 gnome-exe-thumbnailer (0.9.4-2) unstable; urgency=medium
 
   * Add recommends on wine and wine-tools, as these are needed for .lnk and
diff -Nru gnome-exe-thumbnailer-0.9.4/debian/control gnome-exe-thumbnailer-0.9.4/debian/control
--- gnome-exe-thumbnailer-0.9.4/debian/control	2016-12-12 04:55:32.000000000 +0800
+++ gnome-exe-thumbnailer-0.9.4/debian/control	2017-07-25 22:05:01.000000000 +0800
@@ -14,8 +14,10 @@
 Multi-Arch: foreign
 Depends: ${misc:Depends}, icoutils, imagemagick, libglib2.0-bin
 # wine and wine(32|64)-tools are needed for .lnk and .msi thumbnailing
-# wine provides winepath and cscript, while wine(32|64)-tools provides winedump
-Recommends: wine,
+# wine provides winepath, while wine(32|64)-tools provides winedump
+# mistools provides msiinfo to fetch version tags on .msi files
+Recommends: msitools,
+            wine,
             wine64-tools | wine32-tools | wine64-development-tools | wine32-development-tools
 Description: Wine .exe and other executable thumbnailer for GNOME
  gnome-exe-thumbnailer is a thumbnailer for Windows executable files
diff -Nru gnome-exe-thumbnailer-0.9.4/debian/patches/fix-version-label-readability.patch gnome-exe-thumbnailer-0.9.4/debian/patches/fix-version-label-readability.patch
--- gnome-exe-thumbnailer-0.9.4/debian/patches/fix-version-label-readability.patch	1970-01-01 08:00:00.000000000 +0800
+++ gnome-exe-thumbnailer-0.9.4/debian/patches/fix-version-label-readability.patch	2017-07-25 22:27:25.000000000 +0800
@@ -0,0 +1,20 @@
+Author: James Lu <james@overdrivenetworks.com>
+Subject: Fix readability of version labels by using a dark background colour
+ Previously, the version label used a transparent background, which would show
+ up as white text on white in many cases.
+Origin: upstream, https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1cf4df81836985d9660f950287232b3255ee17bb
+
+Index: g-e-t/usr/bin/gnome-exe-thumbnailer
+===================================================================
+--- g-e-t.orig/usr/bin/gnome-exe-thumbnailer	2017-07-25 07:23:52.269571939 -0700
++++ g-e-t/usr/bin/gnome-exe-thumbnailer	2017-07-25 07:23:52.269571939 -0700
+@@ -403,7 +403,7 @@
+ if [ "$VERSION" ]
+ then
+ 	convert -font -*-clean-medium-r-*-*-6-*-*-*-*-*-*-* \
+-	-background transparent -fill white label:"$VERSION" \
++	-background '#00001090' -fill white label:"$VERSION" \
+ 	-trim -bordercolor '#00001090' -border 2 \
+ 	-fill '#00001048' \
+ 	-draw $'color 0,0 point\ncolor 0,8 point' -flop \
+
diff -Nru gnome-exe-thumbnailer-0.9.4/debian/patches/series gnome-exe-thumbnailer-0.9.4/debian/patches/series
--- gnome-exe-thumbnailer-0.9.4/debian/patches/series	2016-12-12 04:55:32.000000000 +0800
+++ gnome-exe-thumbnailer-0.9.4/debian/patches/series	2017-07-25 22:23:50.000000000 +0800
@@ -1 +1,3 @@
+fix-version-label-readability.patch
+switch-to-msiinfo.patch
 fallback-thumbnail-limit.patch
diff -Nru gnome-exe-thumbnailer-0.9.4/debian/patches/switch-to-msiinfo.patch gnome-exe-thumbnailer-0.9.4/debian/patches/switch-to-msiinfo.patch
--- gnome-exe-thumbnailer-0.9.4/debian/patches/switch-to-msiinfo.patch	1970-01-01 08:00:00.000000000 +0800
+++ gnome-exe-thumbnailer-0.9.4/debian/patches/switch-to-msiinfo.patch	2017-07-25 22:22:46.000000000 +0800
@@ -0,0 +1,40 @@
+Author: James Lu <james@overdrivenetworks.com>
+Subject: Switch to msitools' msiinfo for .msi ProductVersion fetching
+ This replaces the insecure VBScript-based parsing, which has issues described
+ at http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
+Origin: upstream, https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5
+Bug-Debian: https://bugs.debian.org/868705
+
+Index: gnome-exe-thumbnailer/usr/bin/gnome-exe-thumbnailer
+===================================================================
+--- gnome-exe-thumbnailer.orig/usr/bin/gnome-exe-thumbnailer	2017-07-18 09:14:28.425066264 +0800
++++ gnome-exe-thumbnailer/usr/bin/gnome-exe-thumbnailer	2017-07-18 09:14:28.421066261 +0800
+@@ -350,25 +350,10 @@
+ # Get the version number:
+ if [[ ${INPUTFILE##*.} = 'msi' ]]
+ then
+-	# Look for the ProductVersion property if user has the Microsoft (R) Windows Script Host installed:
+-	if which wine && grep -v 'Wine placeholder DLL' $HOME/.wine/drive_c/windows/system32/cscript.exe
++	# Look for the ProductVersion property using msitools' msiinfo if present
++	if which msiinfo
+ 	then
+-		# Workaround wine bug #19799: cscript crashes if you call WScript.Arguments(0)
+-		# http://bugs.winehq.org/show_bug.cgi?id=19799
+-		<<< "
+-			Dim WI, DB, View, Record
+-			Set WI = CreateObject(\"WindowsInstaller.Installer\")
+-			Set DB = WI.OpenDatabase(\"$INPUTFILE\",0)
+-			Set View = DB.OpenView(\"SELECT Value FROM Property WHERE Property = 'ProductVersion'\")
+-			View.Execute
+-			Wscript.Echo View.Fetch.StringData(1)
+-		" iconv -f utf8 -t unicode > $TEMPFILE1.vbs
+-
+-		VERSION=$(
+-			DISPLAY=NONE wine cscript.exe //E:vbs //NoLogo Z:\\tmp\\${TEMPFILE1##*/}.vbs 2>/dev/null \
+-			| egrep -o '^[0-9]+\.[0-9]+(\.[0-9][0-9]?)?(beta)?'
+-		)
+-
++		VERSION=$(msiinfo export "$INPUTFILE" 'Property' | grep 'ProductVersion' | cut -f 2)
+ 	else
+ 		# Try to get the version number from extended file properties at least:
+ 		VERSION=$(

--- End Message ---
--- Begin Message --- 
Version: 9.2

Hi.

The updates referenced by each of these bugs was included in today's
point release of stretch.

Regards,

Adam

--- End Message ---
Reply to: