--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package gnome-exe-thumbnailer/0.9.4-2+deb9u1
- From: James Lu <james@overdrivenetworks.com>
- Date: Tue, 25 Jul 2017 22:50:10 +0800
- Message-id: <150099421073.5180.6530080569657875005.reportbug@silverthing>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi Release Team,
I've prepared an update to gnome-exe-thumbnailer which includes two changes
backported from the 0.9.5 release:
1) Migrating away from insecure Wine+VBScript based parsing of .msi files to
msitools, as part of the fix for CVE-2017-11421[1] (VBScript code injection via
filenames containing code). This issue was marked no-dsa, so I'm sending the
update here instead. I also adjusted the dependencies to add msitools, but IIRC
this means that users upgrading will need to run dist-upgrade (if such a change
is too disruptive, I will probably look at disabling version info for .msi
files entirely).
2) Fix readability of version labels by using a dark background colour.
Previously, the version label exe-thumbnailer adds to generated thumbnails used
a transparent background, which shows up as white text on white with a default
configuration.
[1]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11421
The debdiff is attached.
Best,
James
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (700, 'testing'), (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.11.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8),
LANGUAGE=en_CA:en (charmap=UTF-8)
diff -Nru gnome-exe-thumbnailer-0.9.4/debian/changelog gnome-exe-thumbnailer-0.9.4/debian/changelog
--- gnome-exe-thumbnailer-0.9.4/debian/changelog 2016-12-12 04:55:32.000000000 +0800
+++ gnome-exe-thumbnailer-0.9.4/debian/changelog 2017-07-25 22:28:41.000000000 +0800
@@ -1,3 +1,17 @@
+gnome-exe-thumbnailer (0.9.4-2+deb9u1) stretch; urgency=high
+
+ * Add patch switch-to-msiinfo.patch:
+ - Switch to msitools' msiinfo for ProductVersion fetching, replacing the
+ insecure VBScript-based parsing as described at
+ http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
+ (Closes: #868705; LP: #651610; CVE-2017-11421)
+ * Add msitools to recommends; it is now used to fetch .msi version info.
+ * Add patch fix-version-label-readability.patch backported from
+ https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1cf4df81836985d9660f950287232b3255ee17bb
+ to fix unreadable white-on-white text on version labels.
+
+ -- James Lu <bitflip3@gmail.com> Tue, 25 Jul 2017 07:28:41 -0700
+
gnome-exe-thumbnailer (0.9.4-2) unstable; urgency=medium
* Add recommends on wine and wine-tools, as these are needed for .lnk and
diff -Nru gnome-exe-thumbnailer-0.9.4/debian/control gnome-exe-thumbnailer-0.9.4/debian/control
--- gnome-exe-thumbnailer-0.9.4/debian/control 2016-12-12 04:55:32.000000000 +0800
+++ gnome-exe-thumbnailer-0.9.4/debian/control 2017-07-25 22:05:01.000000000 +0800
@@ -14,8 +14,10 @@
Multi-Arch: foreign
Depends: ${misc:Depends}, icoutils, imagemagick, libglib2.0-bin
# wine and wine(32|64)-tools are needed for .lnk and .msi thumbnailing
-# wine provides winepath and cscript, while wine(32|64)-tools provides winedump
-Recommends: wine,
+# wine provides winepath, while wine(32|64)-tools provides winedump
+# mistools provides msiinfo to fetch version tags on .msi files
+Recommends: msitools,
+ wine,
wine64-tools | wine32-tools | wine64-development-tools | wine32-development-tools
Description: Wine .exe and other executable thumbnailer for GNOME
gnome-exe-thumbnailer is a thumbnailer for Windows executable files
diff -Nru gnome-exe-thumbnailer-0.9.4/debian/patches/fix-version-label-readability.patch gnome-exe-thumbnailer-0.9.4/debian/patches/fix-version-label-readability.patch
--- gnome-exe-thumbnailer-0.9.4/debian/patches/fix-version-label-readability.patch 1970-01-01 08:00:00.000000000 +0800
+++ gnome-exe-thumbnailer-0.9.4/debian/patches/fix-version-label-readability.patch 2017-07-25 22:27:25.000000000 +0800
@@ -0,0 +1,20 @@
+Author: James Lu <james@overdrivenetworks.com>
+Subject: Fix readability of version labels by using a dark background colour
+ Previously, the version label used a transparent background, which would show
+ up as white text on white in many cases.
+Origin: upstream, https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1cf4df81836985d9660f950287232b3255ee17bb
+
+Index: g-e-t/usr/bin/gnome-exe-thumbnailer
+===================================================================
+--- g-e-t.orig/usr/bin/gnome-exe-thumbnailer 2017-07-25 07:23:52.269571939 -0700
++++ g-e-t/usr/bin/gnome-exe-thumbnailer 2017-07-25 07:23:52.269571939 -0700
+@@ -403,7 +403,7 @@
+ if [ "$VERSION" ]
+ then
+ convert -font -*-clean-medium-r-*-*-6-*-*-*-*-*-*-* \
+- -background transparent -fill white label:"$VERSION" \
++ -background '#00001090' -fill white label:"$VERSION" \
+ -trim -bordercolor '#00001090' -border 2 \
+ -fill '#00001048' \
+ -draw $'color 0,0 point\ncolor 0,8 point' -flop \
+
diff -Nru gnome-exe-thumbnailer-0.9.4/debian/patches/series gnome-exe-thumbnailer-0.9.4/debian/patches/series
--- gnome-exe-thumbnailer-0.9.4/debian/patches/series 2016-12-12 04:55:32.000000000 +0800
+++ gnome-exe-thumbnailer-0.9.4/debian/patches/series 2017-07-25 22:23:50.000000000 +0800
@@ -1 +1,3 @@
+fix-version-label-readability.patch
+switch-to-msiinfo.patch
fallback-thumbnail-limit.patch
diff -Nru gnome-exe-thumbnailer-0.9.4/debian/patches/switch-to-msiinfo.patch gnome-exe-thumbnailer-0.9.4/debian/patches/switch-to-msiinfo.patch
--- gnome-exe-thumbnailer-0.9.4/debian/patches/switch-to-msiinfo.patch 1970-01-01 08:00:00.000000000 +0800
+++ gnome-exe-thumbnailer-0.9.4/debian/patches/switch-to-msiinfo.patch 2017-07-25 22:22:46.000000000 +0800
@@ -0,0 +1,40 @@
+Author: James Lu <james@overdrivenetworks.com>
+Subject: Switch to msitools' msiinfo for .msi ProductVersion fetching
+ This replaces the insecure VBScript-based parsing, which has issues described
+ at http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
+Origin: upstream, https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5
+Bug-Debian: https://bugs.debian.org/868705
+
+Index: gnome-exe-thumbnailer/usr/bin/gnome-exe-thumbnailer
+===================================================================
+--- gnome-exe-thumbnailer.orig/usr/bin/gnome-exe-thumbnailer 2017-07-18 09:14:28.425066264 +0800
++++ gnome-exe-thumbnailer/usr/bin/gnome-exe-thumbnailer 2017-07-18 09:14:28.421066261 +0800
+@@ -350,25 +350,10 @@
+ # Get the version number:
+ if [[ ${INPUTFILE##*.} = 'msi' ]]
+ then
+- # Look for the ProductVersion property if user has the Microsoft (R) Windows Script Host installed:
+- if which wine && grep -v 'Wine placeholder DLL' $HOME/.wine/drive_c/windows/system32/cscript.exe
++ # Look for the ProductVersion property using msitools' msiinfo if present
++ if which msiinfo
+ then
+- # Workaround wine bug #19799: cscript crashes if you call WScript.Arguments(0)
+- # http://bugs.winehq.org/show_bug.cgi?id=19799
+- <<< "
+- Dim WI, DB, View, Record
+- Set WI = CreateObject(\"WindowsInstaller.Installer\")
+- Set DB = WI.OpenDatabase(\"$INPUTFILE\",0)
+- Set View = DB.OpenView(\"SELECT Value FROM Property WHERE Property = 'ProductVersion'\")
+- View.Execute
+- Wscript.Echo View.Fetch.StringData(1)
+- " iconv -f utf8 -t unicode > $TEMPFILE1.vbs
+-
+- VERSION=$(
+- DISPLAY=NONE wine cscript.exe //E:vbs //NoLogo Z:\\tmp\\${TEMPFILE1##*/}.vbs 2>/dev/null \
+- | egrep -o '^[0-9]+\.[0-9]+(\.[0-9][0-9]?)?(beta)?'
+- )
+-
++ VERSION=$(msiinfo export "$INPUTFILE" 'Property' | grep 'ProductVersion' | cut -f 2)
+ else
+ # Try to get the version number from extended file properties at least:
+ VERSION=$(
--- End Message ---