1473285 – (CVE-2017-11421) CVE-2017-11421 gnome-exe-thumbnailer: VBScript Injection when generating thumbnails for MSI files

Bug 1473285 (CVE-2017-11421) - CVE-2017-11421 gnome-exe-thumbnailer: VBScript Injection when generating thumbnails for MSI files

Summary: CVE-2017-11421 gnome-exe-thumbnailer: VBScript Injection when generating thum...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2017-11421
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-07-20 12:11 UTC by Andrej Nemec
Modified:	2021-02-17 01:52 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-07-20 12:14:56 UTC
Embargoed:

Attachments	(Terms of Use)

Description Andrej Nemec 2017-07-20 12:11:40 UTC

gnome-exe-thumbnailer before 0.9.5 is prone to a VBScript Injection when generating thumbnails for MSI files, aka the "Bad Taste" issue. There is a local attack if the victim uses the GNOME Files file manager, and navigates to a directory containing a .msi file with VBScript code in its filename.

External References:

http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html

Upstream patch:

https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5

References:

http://thehackernews.com/2017/07/linux-gnome-vulnerability.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868705

Comment 1 Andrej Nemec 2017-07-20 12:14:56 UTC

Statement:

This issue did not affect any of the Red Hat products as they did not include the gnome-exe-thumbnailer package.

Note You need to log in before you can comment on or make changes to this bug.