[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [pkg-wine-party] Proposed security update for gnome-exe-thumbnailer



Hi,

James, thanks for taking care of this!

Le 18/07/2017 03:54, James Lu a écrit :
On 18/07/17 09:46 AM, James Lu wrote:
Earlier today I received a bug report about a VBScript injection issue
in gnome-exe-thumbnailer through specially crafted filenames. The Debian
bug is at https://bugs.debian.org/868705, and the reporter's PoC is at
http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html

As I have commit access upstream, I fixed the bug by migrating away from
the VBScript-based parsing in
https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5,
and released 0.9.5 soon after.

For unstable, there is also a pending upload currently in mentors for
0.9.5-1. https://mentors.debian.net/package/gnome-exe-thumbnailer

I see from https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5 that a CVE has already been requested. Should we wait for it to be assigned before uploading, so it can be included in the changelog?

Regards,

Stephen



Reply to: