group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 651610] Re: [CVE-2017-11421] Version number for .msi thumbnail is obtained from unreliable source

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <651610@xxxxxxxxxxxxxxxxxx>
Date: Fri, 04 Aug 2017 01:04:17 -0000
Reply-to: Bug 651610 <651610@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package gnome-exe-thumbnailer -
0.9.4-2ubuntu0.1

---------------
gnome-exe-thumbnailer (0.9.4-2ubuntu0.1) zesty-security; urgency=high

  [ James Lu ]
  * SECURITY UPDATE: Arbitrary code execution (LP: #651610)
    - debian/patches/switch-to-msiinfo.patch: Switch to msitools' msiinfo for
      ProductVersion fetching, replacing the insecure VBScript-based parsing
    - debian/control: Add msitools to recommends; it is now used to fetch .msi
      version info.
    - CVE-2017-11421

 -- Tyler Hicks <tyhicks@xxxxxxxxxxxxx>  Fri, 04 Aug 2017 00:07:05 +0000

** Changed in: gnome-exe-thumbnailer (Ubuntu Zesty)
       Status: Confirmed => Fix Released

** Changed in: gnome-exe-thumbnailer (Ubuntu Xenial)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/651610

Title:
  [CVE-2017-11421] Version number for .msi thumbnail is obtained from
  unreliable source

Status in gnome-exe-thumbnailer package in Ubuntu:
  Fix Released
Status in gnome-exe-thumbnailer source package in Xenial:
  Fix Released
Status in gnome-exe-thumbnailer source package in Zesty:
  Fix Released
Status in gnome-exe-thumbnailer package in Debian:
  Fix Released

Bug description:
  Binary package hint: gnome-exe-thumbnailer

  The version number for .msi package thumbnail is currently obtained
  from parsed output of "file $INPUTFILE", which displays Windows file
  metadata (Author, Subject, etc.). This is a very unreliable source,
  because this metadata can be easily altered or often doesn't contain
  version nuber (in the "Subject" field) at all. The real version number
  is hidden in key "ProductVersion" of table "Property" inside the MSI
  package, which is in fact a very simple relation database.

  Value of this key can be easily obtained by this VB script:

  Dim WI, DB, View, Record
  Set WI = CreateObject("WindowsInstaller.Installer")
  Set DB = WI.OpenDatabase("$INPUTFILE",0)
  Set View = DB.OpenView("SELECT Value FROM Property WHERE Property = 'ProductVersion'")
  View.Execute
  Wscript.Echo View.Fetch.StringData(1)

  but the user must have both Wine and wsh57 (Microsoft Windows Script
  Host 5.7) installed, which is rather rare case.

  If somebody is able to write simple utility that prints the value of
  ProductVersion to standard output, either for w32 (for use with WIne -
  minimum dependencies, msi.dll only if possible) or, much better, unix
  native, please let us know here.

  Useful links:
  http://wiki.winehq.org/MicrosoftInstaller
  http://msdn.microsoft.com/en-us/library/aa370133(VS.85).aspx
  http://www.technipages.com/download-orca-msi-editor.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-exe-thumbnailer/+bug/651610/+subscriptions