Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 19 Jul 2017 11:06:51 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Subject: gnome-exe-thumbnailer: CVE-2017-11421: VBScript script injection
 when generating thumbnails for MSI files

Hi

MITRE has assigned CVE-2017-11421 for the following issue in
gnome-exe-thumbnailer, a Wine .exe and other executable thumbnailer
for GNOME:

gnome-exe-thumbnailer before 0.9.5 is prone to a VBScript Injection
when generating thumbnails for MSI files. There is a local attack if
the victim uses the GNOME Files file manager, and navigates to a
directory containing a .msi file with VBScript code in its filename.

Upstream fix:

https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5

References:

https://bugs.debian.org/868705
http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.