Bug#869676: marked as done (stretch-pu: package gnome-exe-thumbnailer/0.9.4-2+deb9u1)

Sat, 07 Oct 2017 03:44:14 -0700 

Your message dated Sat, 07 Oct 2017 11:33:55 +0100
with message-id <1507372435.18586.64.ca...@adam-barratt.org.uk>
and subject line Closing bugs for 9.2 point release
has caused the Debian Bug report #869676,
regarding stretch-pu: package gnome-exe-thumbnailer/0.9.4-2+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
869676: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869676
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

Hi Release Team,

I've prepared an update to gnome-exe-thumbnailer which includes two changes
backported from the 0.9.5 release:

1) Migrating away from insecure Wine+VBScript based parsing of .msi files to
msitools, as part of the fix for CVE-2017-11421[1] (VBScript code injection via
filenames containing code). This issue was marked no-dsa, so I'm sending the
update here instead. I also adjusted the dependencies to add msitools, but IIRC
this means that users upgrading will need to run dist-upgrade (if such a change
is too disruptive, I will probably look at disabling version info for .msi
files entirely).

2) Fix readability of version labels by using a dark background colour.
Previously, the version label exe-thumbnailer adds to generated thumbnails used
a transparent background, which shows up as white text on white with a default
configuration.

[1]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11421

The debdiff is attached.

Best,
James

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (700, 'testing'), (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.11.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8),
LANGUAGE=en_CA:en (charmap=UTF-8)

diff -Nru gnome-exe-thumbnailer-0.9.4/debian/changelog 
gnome-exe-thumbnailer-0.9.4/debian/changelog
--- gnome-exe-thumbnailer-0.9.4/debian/changelog        2016-12-12 
04:55:32.000000000 +0800
+++ gnome-exe-thumbnailer-0.9.4/debian/changelog        2017-07-25 
22:28:41.000000000 +0800
@@ -1,3 +1,17 @@
+gnome-exe-thumbnailer (0.9.4-2+deb9u1) stretch; urgency=high
+
+  * Add patch switch-to-msiinfo.patch:
+    - Switch to msitools' msiinfo for ProductVersion fetching, replacing the
+      insecure VBScript-based parsing as described at
+      
http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
+      (Closes: #868705; LP: #651610; CVE-2017-11421)
+  * Add msitools to recommends; it is now used to fetch .msi version info.
+  * Add patch fix-version-label-readability.patch backported from
+    
https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1cf4df81836985d9660f950287232b3255ee17bb
+    to fix unreadable white-on-white text on version labels.
+
+ -- James Lu <bitfl...@gmail.com>  Tue, 25 Jul 2017 07:28:41 -0700
+
 gnome-exe-thumbnailer (0.9.4-2) unstable; urgency=medium
 
   * Add recommends on wine and wine-tools, as these are needed for .lnk and
diff -Nru gnome-exe-thumbnailer-0.9.4/debian/control 
gnome-exe-thumbnailer-0.9.4/debian/control
--- gnome-exe-thumbnailer-0.9.4/debian/control  2016-12-12 04:55:32.000000000 
+0800
+++ gnome-exe-thumbnailer-0.9.4/debian/control  2017-07-25 22:05:01.000000000 
+0800
@@ -14,8 +14,10 @@
 Multi-Arch: foreign
 Depends: ${misc:Depends}, icoutils, imagemagick, libglib2.0-bin
 # wine and wine(32|64)-tools are needed for .lnk and .msi thumbnailing
-# wine provides winepath and cscript, while wine(32|64)-tools provides winedump
-Recommends: wine,
+# wine provides winepath, while wine(32|64)-tools provides winedump
+# mistools provides msiinfo to fetch version tags on .msi files
+Recommends: msitools,
+            wine,
             wine64-tools | wine32-tools | wine64-development-tools | 
wine32-development-tools
 Description: Wine .exe and other executable thumbnailer for GNOME
  gnome-exe-thumbnailer is a thumbnailer for Windows executable files
diff -Nru 
gnome-exe-thumbnailer-0.9.4/debian/patches/fix-version-label-readability.patch 
gnome-exe-thumbnailer-0.9.4/debian/patches/fix-version-label-readability.patch
--- 
gnome-exe-thumbnailer-0.9.4/debian/patches/fix-version-label-readability.patch  
    1970-01-01 08:00:00.000000000 +0800
+++ 
gnome-exe-thumbnailer-0.9.4/debian/patches/fix-version-label-readability.patch  
    2017-07-25 22:27:25.000000000 +0800
@@ -0,0 +1,20 @@
+Author: James Lu <ja...@overdrivenetworks.com>
+Subject: Fix readability of version labels by using a dark background colour
+ Previously, the version label used a transparent background, which would show
+ up as white text on white in many cases.
+Origin: upstream, 
https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1cf4df81836985d9660f950287232b3255ee17bb
+
+Index: g-e-t/usr/bin/gnome-exe-thumbnailer
+===================================================================
+--- g-e-t.orig/usr/bin/gnome-exe-thumbnailer   2017-07-25 07:23:52.269571939 
-0700
++++ g-e-t/usr/bin/gnome-exe-thumbnailer        2017-07-25 07:23:52.269571939 
-0700
+@@ -403,7 +403,7 @@
+ if [ "$VERSION" ]
+ then
+       convert -font -*-clean-medium-r-*-*-6-*-*-*-*-*-*-* \
+-      -background transparent -fill white label:"$VERSION" \
++      -background '#00001090' -fill white label:"$VERSION" \
+       -trim -bordercolor '#00001090' -border 2 \
+       -fill '#00001048' \
+       -draw $'color 0,0 point\ncolor 0,8 point' -flop \
+
diff -Nru gnome-exe-thumbnailer-0.9.4/debian/patches/series 
gnome-exe-thumbnailer-0.9.4/debian/patches/series
--- gnome-exe-thumbnailer-0.9.4/debian/patches/series   2016-12-12 
04:55:32.000000000 +0800
+++ gnome-exe-thumbnailer-0.9.4/debian/patches/series   2017-07-25 
22:23:50.000000000 +0800
@@ -1 +1,3 @@
+fix-version-label-readability.patch
+switch-to-msiinfo.patch
 fallback-thumbnail-limit.patch
diff -Nru gnome-exe-thumbnailer-0.9.4/debian/patches/switch-to-msiinfo.patch 
gnome-exe-thumbnailer-0.9.4/debian/patches/switch-to-msiinfo.patch
--- gnome-exe-thumbnailer-0.9.4/debian/patches/switch-to-msiinfo.patch  
1970-01-01 08:00:00.000000000 +0800
+++ gnome-exe-thumbnailer-0.9.4/debian/patches/switch-to-msiinfo.patch  
2017-07-25 22:22:46.000000000 +0800
@@ -0,0 +1,40 @@
+Author: James Lu <ja...@overdrivenetworks.com>
+Subject: Switch to msitools' msiinfo for .msi ProductVersion fetching
+ This replaces the insecure VBScript-based parsing, which has issues described
+ at http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
+Origin: upstream, 
https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5
+Bug-Debian: https://bugs.debian.org/868705
+
+Index: gnome-exe-thumbnailer/usr/bin/gnome-exe-thumbnailer
+===================================================================
+--- gnome-exe-thumbnailer.orig/usr/bin/gnome-exe-thumbnailer   2017-07-18 
09:14:28.425066264 +0800
++++ gnome-exe-thumbnailer/usr/bin/gnome-exe-thumbnailer        2017-07-18 
09:14:28.421066261 +0800
+@@ -350,25 +350,10 @@
+ # Get the version number:
+ if [[ ${INPUTFILE##*.} = 'msi' ]]
+ then
+-      # Look for the ProductVersion property if user has the Microsoft (R) 
Windows Script Host installed:
+-      if which wine && grep -v 'Wine placeholder DLL' 
$HOME/.wine/drive_c/windows/system32/cscript.exe
++      # Look for the ProductVersion property using msitools' msiinfo if 
present
++      if which msiinfo
+       then
+-              # Workaround wine bug #19799: cscript crashes if you call 
WScript.Arguments(0)
+-              # http://bugs.winehq.org/show_bug.cgi?id=19799
+-              <<< "
+-                      Dim WI, DB, View, Record
+-                      Set WI = CreateObject(\"WindowsInstaller.Installer\")
+-                      Set DB = WI.OpenDatabase(\"$INPUTFILE\",0)
+-                      Set View = DB.OpenView(\"SELECT Value FROM Property 
WHERE Property = 'ProductVersion'\")
+-                      View.Execute
+-                      Wscript.Echo View.Fetch.StringData(1)
+-              " iconv -f utf8 -t unicode > $TEMPFILE1.vbs
+-
+-              VERSION=$(
+-                      DISPLAY=NONE wine cscript.exe //E:vbs //NoLogo 
Z:\\tmp\\${TEMPFILE1##*/}.vbs 2>/dev/null \
+-                      | egrep -o '^[0-9]+\.[0-9]+(\.[0-9][0-9]?)?(beta)?'
+-              )
+-
++              VERSION=$(msiinfo export "$INPUTFILE" 'Property' | grep 
'ProductVersion' | cut -f 2)
+       else
+               # Try to get the version number from extended file properties 
at least:
+               VERSION=$(

--- End Message ---
--- Begin Message --- 
Version: 9.2

Hi.

The updates referenced by each of these bugs was included in today's
point release of stretch.

Regards,

Adam

--- End Message ---

Reply via email to