Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi Release Team, I've prepared an update to gnome-exe-thumbnailer which includes two changes backported from the 0.9.5 release: 1) Migrating away from insecure Wine+VBScript based parsing of .msi files to msitools, as part of the fix for CVE-2017-11421[1] (VBScript code injection via filenames containing code). This issue was marked no-dsa, so I'm sending the update here instead. I also adjusted the dependencies to add msitools, but IIRC this means that users upgrading will need to run dist-upgrade (if such a change is too disruptive, I will probably look at disabling version info for .msi files entirely). 2) Fix readability of version labels by using a dark background colour. Previously, the version label exe-thumbnailer adds to generated thumbnails used a transparent background, which shows up as white text on white with a default configuration. [1]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11421 The debdiff is attached. Best, James -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (700, 'testing'), (500, 'unstable'), (101, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.11.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en (charmap=UTF-8)
diff -Nru gnome-exe-thumbnailer-0.9.4/debian/changelog gnome-exe-thumbnailer-0.9.4/debian/changelog --- gnome-exe-thumbnailer-0.9.4/debian/changelog 2016-12-12 04:55:32.000000000 +0800 +++ gnome-exe-thumbnailer-0.9.4/debian/changelog 2017-07-25 22:28:41.000000000 +0800 @@ -1,3 +1,17 @@ +gnome-exe-thumbnailer (0.9.4-2+deb9u1) stretch; urgency=high + + * Add patch switch-to-msiinfo.patch: + - Switch to msitools' msiinfo for ProductVersion fetching, replacing the + insecure VBScript-based parsing as described at + http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html + (Closes: #868705; LP: #651610; CVE-2017-11421) + * Add msitools to recommends; it is now used to fetch .msi version info. + * Add patch fix-version-label-readability.patch backported from + https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1cf4df81836985d9660f950287232b3255ee17bb + to fix unreadable white-on-white text on version labels. + + -- James Lu <bitfl...@gmail.com> Tue, 25 Jul 2017 07:28:41 -0700 + gnome-exe-thumbnailer (0.9.4-2) unstable; urgency=medium * Add recommends on wine and wine-tools, as these are needed for .lnk and diff -Nru gnome-exe-thumbnailer-0.9.4/debian/control gnome-exe-thumbnailer-0.9.4/debian/control --- gnome-exe-thumbnailer-0.9.4/debian/control 2016-12-12 04:55:32.000000000 +0800 +++ gnome-exe-thumbnailer-0.9.4/debian/control 2017-07-25 22:05:01.000000000 +0800 @@ -14,8 +14,10 @@ Multi-Arch: foreign Depends: ${misc:Depends}, icoutils, imagemagick, libglib2.0-bin # wine and wine(32|64)-tools are needed for .lnk and .msi thumbnailing -# wine provides winepath and cscript, while wine(32|64)-tools provides winedump -Recommends: wine, +# wine provides winepath, while wine(32|64)-tools provides winedump +# mistools provides msiinfo to fetch version tags on .msi files +Recommends: msitools, + wine, wine64-tools | wine32-tools | wine64-development-tools | wine32-development-tools Description: Wine .exe and other executable thumbnailer for GNOME gnome-exe-thumbnailer is a thumbnailer for Windows executable files diff -Nru gnome-exe-thumbnailer-0.9.4/debian/patches/fix-version-label-readability.patch gnome-exe-thumbnailer-0.9.4/debian/patches/fix-version-label-readability.patch --- gnome-exe-thumbnailer-0.9.4/debian/patches/fix-version-label-readability.patch 1970-01-01 08:00:00.000000000 +0800 +++ gnome-exe-thumbnailer-0.9.4/debian/patches/fix-version-label-readability.patch 2017-07-25 22:27:25.000000000 +0800 @@ -0,0 +1,20 @@ +Author: James Lu <ja...@overdrivenetworks.com> +Subject: Fix readability of version labels by using a dark background colour + Previously, the version label used a transparent background, which would show + up as white text on white in many cases. +Origin: upstream, https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1cf4df81836985d9660f950287232b3255ee17bb + +Index: g-e-t/usr/bin/gnome-exe-thumbnailer +=================================================================== +--- g-e-t.orig/usr/bin/gnome-exe-thumbnailer 2017-07-25 07:23:52.269571939 -0700 ++++ g-e-t/usr/bin/gnome-exe-thumbnailer 2017-07-25 07:23:52.269571939 -0700 +@@ -403,7 +403,7 @@ + if [ "$VERSION" ] + then + convert -font -*-clean-medium-r-*-*-6-*-*-*-*-*-*-* \ +- -background transparent -fill white label:"$VERSION" \ ++ -background '#00001090' -fill white label:"$VERSION" \ + -trim -bordercolor '#00001090' -border 2 \ + -fill '#00001048' \ + -draw $'color 0,0 point\ncolor 0,8 point' -flop \ + diff -Nru gnome-exe-thumbnailer-0.9.4/debian/patches/series gnome-exe-thumbnailer-0.9.4/debian/patches/series --- gnome-exe-thumbnailer-0.9.4/debian/patches/series 2016-12-12 04:55:32.000000000 +0800 +++ gnome-exe-thumbnailer-0.9.4/debian/patches/series 2017-07-25 22:23:50.000000000 +0800 @@ -1 +1,3 @@ +fix-version-label-readability.patch +switch-to-msiinfo.patch fallback-thumbnail-limit.patch diff -Nru gnome-exe-thumbnailer-0.9.4/debian/patches/switch-to-msiinfo.patch gnome-exe-thumbnailer-0.9.4/debian/patches/switch-to-msiinfo.patch --- gnome-exe-thumbnailer-0.9.4/debian/patches/switch-to-msiinfo.patch 1970-01-01 08:00:00.000000000 +0800 +++ gnome-exe-thumbnailer-0.9.4/debian/patches/switch-to-msiinfo.patch 2017-07-25 22:22:46.000000000 +0800 @@ -0,0 +1,40 @@ +Author: James Lu <ja...@overdrivenetworks.com> +Subject: Switch to msitools' msiinfo for .msi ProductVersion fetching + This replaces the insecure VBScript-based parsing, which has issues described + at http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html +Origin: upstream, https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5 +Bug-Debian: https://bugs.debian.org/868705 + +Index: gnome-exe-thumbnailer/usr/bin/gnome-exe-thumbnailer +=================================================================== +--- gnome-exe-thumbnailer.orig/usr/bin/gnome-exe-thumbnailer 2017-07-18 09:14:28.425066264 +0800 ++++ gnome-exe-thumbnailer/usr/bin/gnome-exe-thumbnailer 2017-07-18 09:14:28.421066261 +0800 +@@ -350,25 +350,10 @@ + # Get the version number: + if [[ ${INPUTFILE##*.} = 'msi' ]] + then +- # Look for the ProductVersion property if user has the Microsoft (R) Windows Script Host installed: +- if which wine && grep -v 'Wine placeholder DLL' $HOME/.wine/drive_c/windows/system32/cscript.exe ++ # Look for the ProductVersion property using msitools' msiinfo if present ++ if which msiinfo + then +- # Workaround wine bug #19799: cscript crashes if you call WScript.Arguments(0) +- # http://bugs.winehq.org/show_bug.cgi?id=19799 +- <<< " +- Dim WI, DB, View, Record +- Set WI = CreateObject(\"WindowsInstaller.Installer\") +- Set DB = WI.OpenDatabase(\"$INPUTFILE\",0) +- Set View = DB.OpenView(\"SELECT Value FROM Property WHERE Property = 'ProductVersion'\") +- View.Execute +- Wscript.Echo View.Fetch.StringData(1) +- " iconv -f utf8 -t unicode > $TEMPFILE1.vbs +- +- VERSION=$( +- DISPLAY=NONE wine cscript.exe //E:vbs //NoLogo Z:\\tmp\\${TEMPFILE1##*/}.vbs 2>/dev/null \ +- | egrep -o '^[0-9]+\.[0-9]+(\.[0-9][0-9]?)?(beta)?' +- ) +- ++ VERSION=$(msiinfo export "$INPUTFILE" 'Property' | grep 'ProductVersion' | cut -f 2) + else + # Try to get the version number from extended file properties at least: + VERSION=$(