Bug#869676: stretch-pu: package gnome-exe-thumbnailer/0.9.4-2+deb9u1

[Adam D. Barratt]

Control: tags -1 + pending

On Thu, 2017-08-10 at 09:17 -0700, James Lu wrote:
> Hello,
> 
> This was uploaded! (CC'ing my sponsor as well)

Flagged for acceptance into p-u.

Regards,

Adam

Processed: Re: Bug#869676: stretch-pu: package gnome-exe-thumbnailer/0.9.4-2+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #869676 [release.debian.org] stretch-pu: package 
gnome-exe-thumbnailer/0.9.4-2+deb9u1
Added tag(s) pending.

-- 
869676: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869676
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#869676: stretch-pu: package gnome-exe-thumbnailer/0.9.4-2+deb9u1

[James Lu]

Hello,

This was uploaded! (CC'ing my sponsor as well)

Best,
James

On 08/08/17 08:52 AM, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Tue, 2017-07-25 at 22:50 +0800, James Lu wrote:
>> I've prepared an update to gnome-exe-thumbnailer which includes two changes
>> backported from the 0.9.5 release:
>>
>> 1) Migrating away from insecure Wine+VBScript based parsing of .msi files to
>> msitools, as part of the fix for CVE-2017-11421[1] (VBScript code injection 
>> via
>> filenames containing code). This issue was marked no-dsa, so I'm sending the
>> update here instead. I also adjusted the dependencies to add msitools, but 
>> IIRC
>> this means that users upgrading will need to run dist-upgrade (if such a 
>> change
>> is too disruptive, I will probably look at disabling version info for .msi
>> files entirely).
>>
>> 2) Fix readability of version labels by using a dark background colour.
>> Previously, the version label exe-thumbnailer adds to generated thumbnails 
>> used
>> a transparent background, which shows up as white text on white with a 
>> default
>> configuration.
>>
>> [1]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11421
> 
> Please go ahead.
> 
> Regards,
> 
> Adam
> 



signature.asc
Description: OpenPGP digital signature

Processed: Re: Bug#869676: stretch-pu: package gnome-exe-thumbnailer/0.9.4-2+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #869676 [release.debian.org] stretch-pu: package 
gnome-exe-thumbnailer/0.9.4-2+deb9u1
Added tag(s) confirmed.

-- 
869676: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869676
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#869676: stretch-pu: package gnome-exe-thumbnailer/0.9.4-2+deb9u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Tue, 2017-07-25 at 22:50 +0800, James Lu wrote:
> I've prepared an update to gnome-exe-thumbnailer which includes two changes
> backported from the 0.9.5 release:
> 
> 1) Migrating away from insecure Wine+VBScript based parsing of .msi files to
> msitools, as part of the fix for CVE-2017-11421[1] (VBScript code injection 
> via
> filenames containing code). This issue was marked no-dsa, so I'm sending the
> update here instead. I also adjusted the dependencies to add msitools, but 
> IIRC
> this means that users upgrading will need to run dist-upgrade (if such a 
> change
> is too disruptive, I will probably look at disabling version info for .msi
> files entirely).
> 
> 2) Fix readability of version labels by using a dark background colour.
> Previously, the version label exe-thumbnailer adds to generated thumbnails 
> used
> a transparent background, which shows up as white text on white with a default
> configuration.
> 
> [1]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11421

Please go ahead.

Regards,

Adam

Bug#869676: stretch-pu: package gnome-exe-thumbnailer/0.9.4-2+deb9u1

[James Lu]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi Release Team,

I've prepared an update to gnome-exe-thumbnailer which includes two changes
backported from the 0.9.5 release:

1) Migrating away from insecure Wine+VBScript based parsing of .msi files to
msitools, as part of the fix for CVE-2017-11421[1] (VBScript code injection via
filenames containing code). This issue was marked no-dsa, so I'm sending the
update here instead. I also adjusted the dependencies to add msitools, but IIRC
this means that users upgrading will need to run dist-upgrade (if such a change
is too disruptive, I will probably look at disabling version info for .msi
files entirely).

2) Fix readability of version labels by using a dark background colour.
Previously, the version label exe-thumbnailer adds to generated thumbnails used
a transparent background, which shows up as white text on white with a default
configuration.

[1]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11421

The debdiff is attached.

Best,
James

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (700, 'testing'), (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.11.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8),
LANGUAGE=en_CA:en (charmap=UTF-8)
diff -Nru gnome-exe-thumbnailer-0.9.4/debian/changelog 
gnome-exe-thumbnailer-0.9.4/debian/changelog
--- gnome-exe-thumbnailer-0.9.4/debian/changelog2016-12-12 
04:55:32.0 +0800
+++ gnome-exe-thumbnailer-0.9.4/debian/changelog2017-07-25 
22:28:41.0 +0800
@@ -1,3 +1,17 @@
+gnome-exe-thumbnailer (0.9.4-2+deb9u1) stretch; urgency=high
+
+  * Add patch switch-to-msiinfo.patch:
+- Switch to msitools' msiinfo for ProductVersion fetching, replacing the
+  insecure VBScript-based parsing as described at
+  
http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
+  (Closes: #868705; LP: #651610; CVE-2017-11421)
+  * Add msitools to recommends; it is now used to fetch .msi version info.
+  * Add patch fix-version-label-readability.patch backported from
+
https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1cf4df81836985d9660f950287232b3255ee17bb
+to fix unreadable white-on-white text on version labels.
+
+ -- James Lu   Tue, 25 Jul 2017 07:28:41 -0700
+
 gnome-exe-thumbnailer (0.9.4-2) unstable; urgency=medium
 
   * Add recommends on wine and wine-tools, as these are needed for .lnk and
diff -Nru gnome-exe-thumbnailer-0.9.4/debian/control 
gnome-exe-thumbnailer-0.9.4/debian/control
--- gnome-exe-thumbnailer-0.9.4/debian/control  2016-12-12 04:55:32.0 
+0800
+++ gnome-exe-thumbnailer-0.9.4/debian/control  2017-07-25 22:05:01.0 
+0800
@@ -14,8 +14,10 @@
 Multi-Arch: foreign
 Depends: ${misc:Depends}, icoutils, imagemagick, libglib2.0-bin
 # wine and wine(32|64)-tools are needed for .lnk and .msi thumbnailing
-# wine provides winepath and cscript, while wine(32|64)-tools provides winedump
-Recommends: wine,
+# wine provides winepath, while wine(32|64)-tools provides winedump
+# mistools provides msiinfo to fetch version tags on .msi files
+Recommends: msitools,
+wine,
 wine64-tools | wine32-tools | wine64-development-tools | 
wine32-development-tools
 Description: Wine .exe and other executable thumbnailer for GNOME
  gnome-exe-thumbnailer is a thumbnailer for Windows executable files
diff -Nru 
gnome-exe-thumbnailer-0.9.4/debian/patches/fix-version-label-readability.patch 
gnome-exe-thumbnailer-0.9.4/debian/patches/fix-version-label-readability.patch
--- 
gnome-exe-thumbnailer-0.9.4/debian/patches/fix-version-label-readability.patch  
1970-01-01 08:00:00.0 +0800
+++ 
gnome-exe-thumbnailer-0.9.4/debian/patches/fix-version-label-readability.patch  
2017-07-25 22:27:25.0 +0800
@@ -0,0 +1,20 @@
+Author: James Lu 
+Subject: Fix readability of version labels by using a dark background colour
+ Previously, the version label used a transparent background, which would show
+ up as white text on white in many cases.
+Origin: upstream, 
https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1cf4df81836985d9660f950287232b3255ee17bb
+
+Index: g-e-t/usr/bin/gnome-exe-thumbnailer
+===
+--- g-e-t.orig/usr/bin/gnome-exe-thumbnailer   2017-07-25 07:23:52.269571939 
-0700
 g-e-t/usr/bin/gnome-exe-thumbnailer2017-07-25 07:23:52.269571939 
-0700
+@@ -403,7 +403,7 @@
+ if [ "$VERSION" ]
+ then
+   convert -font -*-clean-medium-r-*-*-6-*-*-*-*-*-*-* \
+-  -background transparent -fill white label:"$VERSION" \
++  -background '#1090' -fill white label:"$VERSION" \
+   -trim -bordercolor '#1090' -border 2 \
+