[CVE-2017-11421] Version number for .msi thumbnail is obtained from unreliable source

Bug #651610 reported by Jan Nekvasil on 2010-09-29
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnome-exe-thumbnailer (Debian)
Fix Released
Unknown
gnome-exe-thumbnailer (Ubuntu)
Critical
James Lu
Xenial
Undecided
Unassigned
Zesty
Undecided
Unassigned

Bug Description

Binary package hint: gnome-exe-thumbnailer

The version number for .msi package thumbnail is currently obtained from parsed output of "file $INPUTFILE", which displays Windows file metadata (Author, Subject, etc.). This is a very unreliable source, because this metadata can be easily altered or often doesn't contain version nuber (in the "Subject" field) at all. The real version number is hidden in key "ProductVersion" of table "Property" inside the MSI package, which is in fact a very simple relation database.

Value of this key can be easily obtained by this VB script:

Dim WI, DB, View, Record
Set WI = CreateObject("WindowsInstaller.Installer")
Set DB = WI.OpenDatabase("$INPUTFILE",0)
Set View = DB.OpenView("SELECT Value FROM Property WHERE Property = 'ProductVersion'")
View.Execute
Wscript.Echo View.Fetch.StringData(1)

but the user must have both Wine and wsh57 (Microsoft Windows Script Host 5.7) installed, which is rather rare case.

If somebody is able to write simple utility that prints the value of ProductVersion to standard output, either for w32 (for use with WIne - minimum dependencies, msi.dll only if possible) or, much better, unix native, please let us know here.

Useful links:
http://wiki.winehq.org/MicrosoftInstaller
http://msdn.microsoft.com/en-us/library/aa370133(VS.85).aspx
http://www.technipages.com/download-orca-msi-editor.html

CVE References

Stephen Kitt (steve-sk2) wrote :

msitools' msiinfo command can be used to extract this information:

    msiinfo export file.msi Property

The ProductVerShort may also be relevant.

Jan Nekvasil (jan-nekvasil) wrote :

@Stephen Kitt: Thanks a lot, I'm definitely going to implement it. Alas, there's no official msitools package for Trusty, but that one from Wily works well.

Laurent Bigonville (bigon) wrote :
Changed in gnome-exe-thumbnailer (Ubuntu):
importance: Undecided → Critical
information type: Public → Public Security
Changed in gnome-exe-thumbnailer (Debian):
status: Unknown → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-exe-thumbnailer - 0.9.5-1

---------------
gnome-exe-thumbnailer (0.9.5-1) unstable; urgency=high

  [ Stephen Kitt ]
  * Fix the filename mangling in debian/watch.

  [ James Lu ]
  * New upstream release.
    - Switch to msitools' msiinfo for ProductVersion fetching, replacing the
      insecure VBScript-based parsing as described at
      http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
      (Closes: #868705; LP: #651610; CVE-2017-11421).
  * Add Enhances: caja, tumbler (>= 0.1.92~), nautilus, nemo
    These are some of the many file managers/thumbnailer programs that support
    desktop thumbnailers like exe-thumbnailer, and I have verified (at some
    point) that all of these work.
  * fallback-thumbnail-limit.patch: drop, applied upstream.
  * Bump Standards-Version to 4.0.0; no changes needed.
  * Add msitools to recommends; it is used to fetch .msi version info.

 -- James Lu <email address hidden> Tue, 18 Jul 2017 08:18:48 +0800

Changed in gnome-exe-thumbnailer (Ubuntu):
status: New → Fix Released
Changed in gnome-exe-thumbnailer (Debian):
status: Fix Committed → Fix Released
James Lu (tacocat) on 2017-07-27
summary: - Version number for .msi thumbnail is obtained from unreliable source
+ [CVE-2017-11421] Version number for .msi thumbnail is obtained from
+ unreliable source
James Lu (tacocat) wrote :
Changed in gnome-exe-thumbnailer (Ubuntu Xenial):
assignee: nobody → James Lu (tacocat)
Changed in gnome-exe-thumbnailer (Ubuntu Zesty):
assignee: nobody → James Lu (tacocat)
Changed in gnome-exe-thumbnailer (Ubuntu):
assignee: nobody → James Lu (tacocat)
Changed in gnome-exe-thumbnailer (Ubuntu Xenial):
status: New → In Progress
Changed in gnome-exe-thumbnailer (Ubuntu Zesty):
status: New → In Progress
Unit 193 (unit193) wrote :

On Zesty, I tried to reproduce the CVE before the patch and was able to, after patching the package, rebuilding, and restarting the thumbnailer service I no longer could reproduce the issue.

Changed in gnome-exe-thumbnailer (Ubuntu Zesty):
assignee: James Lu (tacocat) → nobody
Changed in gnome-exe-thumbnailer (Ubuntu Xenial):
assignee: James Lu (tacocat) → nobody
status: In Progress → Confirmed
Changed in gnome-exe-thumbnailer (Ubuntu Zesty):
status: In Progress → Confirmed
Tyler Hicks (tyhicks) wrote :

Thanks for the debdiffs! The code changes look good to me but I had to rewrite most of the changelog as we like our security uploads to follow a standard format. Details are available here:

  https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging

Also important to note is that I adjusted the version of the Zesty upload to match the versioning described on that wiki page and that I targeted both uploads to the -security pocket. These are minor issues that were easy for me to fixup so I went ahead and did so in order to get the security updates out quickly.

Thanks again for the security updates! :)

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-exe-thumbnailer - 0.9.4-2ubuntu0.1

---------------
gnome-exe-thumbnailer (0.9.4-2ubuntu0.1) zesty-security; urgency=high

  [ James Lu ]
  * SECURITY UPDATE: Arbitrary code execution (LP: #651610)
    - debian/patches/switch-to-msiinfo.patch: Switch to msitools' msiinfo for
      ProductVersion fetching, replacing the insecure VBScript-based parsing
    - debian/control: Add msitools to recommends; it is now used to fetch .msi
      version info.
    - CVE-2017-11421

 -- Tyler Hicks <email address hidden> Fri, 04 Aug 2017 00:07:05 +0000

Changed in gnome-exe-thumbnailer (Ubuntu Zesty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-exe-thumbnailer - 0.9.3-2ubuntu0.16.04.1

---------------
gnome-exe-thumbnailer (0.9.3-2ubuntu0.16.04.1) xenial-security; urgency=medium

  [ James Lu ]
  * SECURITY UPDATE: Arbitrary code execution (LP: #651610)
    - debian/patches/switch-to-msiinfo.patch: Switch to msitools' msiinfo for
      ProductVersion fetching, replacing the insecure VBScript-based parsing
    - debian/control: Add msitools to recommends; it is now used to fetch .msi
      version info.
    - CVE-2017-11421

 -- Tyler Hicks <email address hidden> Fri, 04 Aug 2017 00:05:54 +0000

Changed in gnome-exe-thumbnailer (Ubuntu Xenial):
status: Confirmed → Fix Released
James Lu (tacocat) wrote :

Hi,

Thank you as well for the touchup and upload!

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.