Hi everyone, Resending as I used the wrong address for pkg-wine-party On 18/07/17 09:46 AM, James Lu wrote: > Hi Security Team, > > Earlier today I received a bug report about a VBScript injection issue > in gnome-exe-thumbnailer through specially crafted filenames. The Debian > bug is at https://bugs.debian.org/868705, and the reporter's PoC is at > http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html > > As I have commit access upstream, I fixed the bug by migrating away from > the VBScript-based parsing in > https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5, > and released 0.9.5 soon after. > > For unstable, there is also a pending upload currently in mentors for > 0.9.5-1. https://mentors.debian.net/package/gnome-exe-thumbnailer > > For stretch, my proposed fix backports the above commit as a patch and > adds a recommend on msitools. The update is in the pkg-wine Git repo, > but I don't have a stretch machine to test it on (I'm on vacation right > now): > https://anonscm.debian.org/git/pkg-wine/gnome-exe-thumbnailer.git/log/?h=stretch-proposed > > The PoC was linked directly in the bug report, so the issue is now > public. I do believe though that the impact is low because it requires > somehow obtaining an .msi file with a very strange name, and requires a > Wine configuration (possibly with a specific winetricks setup) to be > already set up. There is no CVE identifier as far as I know. > > Best, > James >
Attachment:
signature.asc
Description: OpenPGP digital signature