Re: [DNG] VBScript Injection via GNOME Thumbnailer

On Tue, Jul 18, 2017 at 08:06:12AM +0200, Joachim Fahrner wrote: > Another nice bug in Gnome: > http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html Actually, it turns out it's not a Gnome component: Maintainer: Debian Wine Party

Re: [DNG] VBScript Injection via GNOME Thumbnailer

Hi, Adam Borowski writes: > On Wed, Jul 19, 2017 at 08:28:25PM +0900, Olaf Meeuwissen wrote: >> Adam Borowski writes: >> > On Tue, Jul 18, 2017 at 10:07:35PM +0200, Adam Borowski wrote: >> >> Actually, imagemagick is one of worst offenders here. The version in >> >> Jessie >> >> is at deb8u9,

Re: [DNG] VBScript Injection via GNOME Thumbnailer

On Wed, Jul 19, 2017 at 08:28:25PM +0900, Olaf Meeuwissen wrote: > Adam Borowski writes: > > On Tue, Jul 18, 2017 at 10:07:35PM +0200, Adam Borowski wrote: > >> Actually, imagemagick is one of worst offenders here. The version in > >> Jessie > >> is at deb8u9, and every security update tends to

Re: [DNG] VBScript Injection via GNOME Thumbnailer

Hi, Adam Borowski writes: > On Tue, Jul 18, 2017 at 10:07:35PM +0200, Adam Borowski wrote: >> Actually, imagemagick is one of worst offenders here. The version in Jessie >> is at deb8u9, and every security update tends to mention ~20 CVEs. > > ... nd, just hours later, here comes deb8u10: >

Re: [DNG] VBScript Injection via GNOME Thumbnailer

On Tue, Jul 18, 2017 at 10:07:35PM +0200, Adam Borowski wrote: > Actually, imagemagick is one of worst offenders here. The version in Jessie > is at deb8u9, and every security update tends to mention ~20 CVEs. ... nd, just hours later, here comes deb8u10: # Package: imagemagick #

Re: [DNG] VBScript Injection via GNOME Thumbnailer

On 2017-07-18 20:07, Adam Borowski wrote: > On Tue, Jul 18, 2017 at 06:15:20PM +, Daniel Abrecht wrote: >> Since thumbnails have to be generated somehow, they need some kind of >> generator. To use plugins, which are resembled by executables in this >> case, is a perfectly fine approach for

Re: [DNG] VBScript Injection via GNOME Thumbnailer

On Tue, Jul 18, 2017 at 06:15:20PM +, Daniel Abrecht wrote: > Since thumbnails have to be generated somehow, they need some kind of > generator. To use plugins, which are resembled by executables in this > case, is a perfectly fine approach for this. Uhm, but why? I can understand a

Re: [DNG] VBScript Injection via GNOME Thumbnailer

Since thumbnails have to be generated somehow, they need some kind of generator. To use plugins, which are resembled by executables in this case, is a perfectly fine approach for this. The real problem is that despite it's well known that thumbnail generators have a really big attack surface,

Re: [DNG] VBScript Injection via GNOME Thumbnailer

Quoting Adam Borowski (kilob...@angband.pl): > But _why_ would you say this is an excuse? Wine is an unrelated piece of > software, and it's not a bug in Wine. I agree with your well-stated take on this. I'm merely pointing out that the original statement that GNOME's thumbnailer displays the

Re: [DNG] VBScript Injection via GNOME Thumbnailer

On 18.07.2017 08:45, Rick Moen wrote: Strictly speaking, I am reasonably sure it doesn't _depend_ on WINE, but merely use it if it's present. The fact that it silently starts proprietary executables (eg. the windows scripting host), just because they're there, indeed is a huge bug, more

Re: [DNG] VBScript Injection via GNOME Thumbnailer

On Tue, Jul 18, 2017 at 12:39:45AM -0700, Rick Moen wrote: > Quoting Joachim Fahrner (j...@fahrner.name): > > > Another nice bug in Gnome: > > http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html > > I feel almost dirty making excuses for GNOME ;-> , but this bug in >

Re: [DNG] VBScript Injection via GNOME Thumbnailer

schrieblings From: j...@fahrner.name > That"s the point. All these things made by Poettering, Gnome Team, Read > Hat ... are rubbish monsters, too complex to make them safe. They put > all things in they can think of. A thumbnailer that depends on wine! > Unbelievable! That"s no good and clean

Re: [DNG] VBScript Injection via GNOME Thumbnailer

Quoting Joachim Fahrner (j...@fahrner.name): > That's the point. All these things made by Poettering, Gnome Team, > Read Hat ... are rubbish monsters, too complex to make them safe. > They put all things in they can think of. A thumbnailer that depends > on wine! Unbelievable! That's no good and

Re: [DNG] VBScript Injection via GNOME Thumbnailer

Am 2017-07-18 09:39, schrieb Rick Moen: OTOH, clearly the parser code in /usr/bin/gnome-exe-thumbnailer is rubbish, as it shouldn't be possible to fool it into processing embedded VBSCript in a filename. That's the point. All these things made by Poettering, Gnome Team, Read Hat ... are

Re: [DNG] VBScript Injection via GNOME Thumbnailer

Quoting Joachim Fahrner (j...@fahrner.name): > Another nice bug in Gnome: > http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html I feel almost dirty making excuses for GNOME ;-> , but this bug in /usr/bin/gnome-exe-thumbnailer appears to be exploitable only if WINE is

[DNG] VBScript Injection via GNOME Thumbnailer

Another nice bug in Gnome: http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html Jochen ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng