[CVE-2017-11421] Version number for .msi thumbnail is obtained from unreliable source
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gnome-exe-thumbnailer (Debian) |
Fix Released
|
Unknown
|
|||
gnome-exe-thumbnailer (Ubuntu) |
Fix Released
|
Critical
|
James Lu | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Zesty |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: gnome-exe-
The version number for .msi package thumbnail is currently obtained from parsed output of "file $INPUTFILE", which displays Windows file metadata (Author, Subject, etc.). This is a very unreliable source, because this metadata can be easily altered or often doesn't contain version nuber (in the "Subject" field) at all. The real version number is hidden in key "ProductVersion" of table "Property" inside the MSI package, which is in fact a very simple relation database.
Value of this key can be easily obtained by this VB script:
Dim WI, DB, View, Record
Set WI = CreateObject(
Set DB = WI.OpenDatabase
Set View = DB.OpenView("SELECT Value FROM Property WHERE Property = 'ProductVersion'")
View.Execute
Wscript.Echo View.Fetch.
but the user must have both Wine and wsh57 (Microsoft Windows Script Host 5.7) installed, which is rather rare case.
If somebody is able to write simple utility that prints the value of ProductVersion to standard output, either for w32 (for use with WIne - minimum dependencies, msi.dll only if possible) or, much better, unix native, please let us know here.
Useful links:
http://
http://
http://
CVE References
Changed in gnome-exe-thumbnailer (Debian): | |
status: | Unknown → Fix Committed |
Changed in gnome-exe-thumbnailer (Debian): | |
status: | Fix Committed → Fix Released |
summary: |
- Version number for .msi thumbnail is obtained from unreliable source + [CVE-2017-11421] Version number for .msi thumbnail is obtained from + unreliable source |
msitools' msiinfo command can be used to extract this information:
msiinfo export file.msi Property
The ProductVerShort may also be relevant.