Re: [pkg-wine-party] Proposed security update for gnome-exe-thumbnailer

[Stephen Kitt <skitt@debian.org>]

Hi,

James, thanks for taking care of this!

Le 18/07/2017 03:54, James Lu a écrit :
> On 18/07/17 09:46 AM, James Lu wrote:
> > Earlier today I received a bug report about a VBScript injection issue
> > in gnome-exe-thumbnailer through specially crafted filenames. The 
> > Debian
> > bug is at https://bugs.debian.org/868705, and the reporter's PoC is at
> > http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
> >
> > As I have commit access upstream, I fixed the bug by migrating away 
> > from
> > the VBScript-based parsing in
> > https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5,
> > and released 0.9.5 soon after.
> >
> > For unstable, there is also a pending upload currently in mentors for
> > 0.9.5-1. https://mentors.debian.net/package/gnome-exe-thumbnailer

I see from 
https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5 
that a CVE has already been requested. Should we wait for it to be 
assigned before uploading, so it can be included in the changelog?

Regards,

Stephen