On Tue, Jul 18, 2017 at 08:06:12AM +0200, Joachim Fahrner wrote:
> Another nice bug in Gnome:
> http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
Actually, it turns out it's not a Gnome component:
Maintainer: Debian Wine Party
Current upstream: https://github.com/gnome-ex
Hi,
Adam Borowski writes:
> On Wed, Jul 19, 2017 at 08:28:25PM +0900, Olaf Meeuwissen wrote:
>> Adam Borowski writes:
>> > On Tue, Jul 18, 2017 at 10:07:35PM +0200, Adam Borowski wrote:
>> >> Actually, imagemagick is one of worst offenders here. The version in
>> >> Jessie
>> >> is at deb8u9, a
On Wed, Jul 19, 2017 at 08:28:25PM +0900, Olaf Meeuwissen wrote:
> Adam Borowski writes:
> > On Tue, Jul 18, 2017 at 10:07:35PM +0200, Adam Borowski wrote:
> >> Actually, imagemagick is one of worst offenders here. The version in
> >> Jessie
> >> is at deb8u9, and every security update tends to m
Hi,
Adam Borowski writes:
> On Tue, Jul 18, 2017 at 10:07:35PM +0200, Adam Borowski wrote:
>> Actually, imagemagick is one of worst offenders here. The version in Jessie
>> is at deb8u9, and every security update tends to mention ~20 CVEs.
>
> ... nd, just hours later, here comes deb8u10:
>
On Tue, Jul 18, 2017 at 10:07:35PM +0200, Adam Borowski wrote:
> Actually, imagemagick is one of worst offenders here. The version in Jessie
> is at deb8u9, and every security update tends to mention ~20 CVEs.
... nd, just hours later, here comes deb8u10:
# Package: imagemagick
# CVE
On 2017-07-18 20:07, Adam Borowski wrote:
> On Tue, Jul 18, 2017 at 06:15:20PM +, Daniel Abrecht wrote:
>> Since thumbnails have to be generated somehow, they need some kind of
>> generator. To use plugins, which are resembled by executables in this
>> case, is a perfectly fine approach for thi
On Tue, Jul 18, 2017 at 06:15:20PM +, Daniel Abrecht wrote:
> Since thumbnails have to be generated somehow, they need some kind of
> generator. To use plugins, which are resembled by executables in this
> case, is a perfectly fine approach for this.
Uhm, but why? I can understand a thumbnail
On Tue, Jul 18, 2017 at 10:47:07AM -0700, Rick Moen wrote:
> WINE is a fine and useful package (and this bug isn't its fault). My
> point is merely that in the _general_ case, it would not be expected to
> accompany GNOME. (I'm very much not a GNOME fan.)
It's not software that would in any way
Since thumbnails have to be generated somehow, they need some kind of
generator. To use plugins, which are resembled by executables in this
case, is a perfectly fine approach for this.
The real problem is that despite it's well known that thumbnail
generators have a really big attack surface, noth
Quoting Adam Borowski (kilob...@angband.pl):
> But _why_ would you say this is an excuse? Wine is an unrelated piece of
> software, and it's not a bug in Wine.
I agree with your well-stated take on this. I'm merely pointing out that the
original statement that GNOME's thumbnailer displays the i
Quoting Enrico Weigelt, metux IT consult (enrico.weig...@gr13.net):
> On 18.07.2017 08:45, Rick Moen wrote:
>
> >Strictly speaking, I am reasonably sure it doesn't _depend_ on WINE, but
> >merely use it if it's present.
>
> The fact that it silently starts proprietary executables (eg. the
> wind
On 18.07.2017 08:45, Rick Moen wrote:
Strictly speaking, I am reasonably sure it doesn't _depend_ on WINE, but
merely use it if it's present.
The fact that it silently starts proprietary executables (eg. the
windows scripting host), just because they're there, indeed is a
huge bug, more precis
On Tue, Jul 18, 2017 at 12:39:45AM -0700, Rick Moen wrote:
> Quoting Joachim Fahrner (j...@fahrner.name):
>
> > Another nice bug in Gnome:
> > http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
>
> I feel almost dirty making excuses for GNOME ;-> , but this bug in
> /usr/
schrieblings From: j...@fahrner.name
> That"s the point. All these things made by Poettering, Gnome Team, Read
> Hat ... are rubbish monsters, too complex to make them safe. They put
> all things in they can think of. A thumbnailer that depends on wine!
> Unbelievable! That"s no good and clean sof
Quoting Joachim Fahrner (j...@fahrner.name):
> That's the point. All these things made by Poettering, Gnome Team,
> Read Hat ... are rubbish monsters, too complex to make them safe.
> They put all things in they can think of. A thumbnailer that depends
> on wine! Unbelievable! That's no good and c
Am 2017-07-18 09:39, schrieb Rick Moen:
OTOH, clearly the parser code in /usr/bin/gnome-exe-thumbnailer is
rubbish, as it shouldn't be possible to fool it into processing
embedded
VBSCript in a filename.
That's the point. All these things made by Poettering, Gnome Team, Read
Hat ... are rubb
Quoting Joachim Fahrner (j...@fahrner.name):
> Another nice bug in Gnome:
> http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
I feel almost dirty making excuses for GNOME ;-> , but this bug in
/usr/bin/gnome-exe-thumbnailer appears to be exploitable only if WINE
is inst
Another nice bug in Gnome:
http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
Jochen
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
18 matches
Mail list logo
