Crazy bug of the week: Gnome Files' .MSI parser runs evil VBScripts Gnome developers, take a bow: a bug in your image thumbnailer has opened up a (not too scary, thankfully) hole for script injection. The security vulnerability was revealed this week by Nils Dagsson Moskopp here, and his advice for users is: “Delete all files in /usr/share/thumbnailers. Do not use GNOME Files. Uninstall any …
Whenever an icon for a Microsoft Windows executable (EXE), installer (MSI), library (DLL), or shortcut (LNK) should be shown, Gnome Files calls /usr/bin/gnome-exe-thumbnailer to either extract an embedded icon from the file in question or deliver a fallback image for the appropriate filetype.”
Just deliver the fallback image. Nobody needs to start up WINE once per file in a file browser nor are they really interested in the icon, they just need to see if it's a Windows executable or whatever. Exploits like this happens when people over engineer stuff.
This is, unfortunately, a typical symptom of the current breed of Desktop developers. The important problems have all been solved decades ago, now they are just trying to solve them more and more complex. The result are feature nobody asked for, which not only harm productivity, but also security.
Unfortunately this is happenning on virtually all desktop platforms.
It seems that Red Hat is nowadays run by a club of "developers" who think security issues cannot happen to them because
1. they're so very clever
2. magic open source pixie dust
3. calling something "Linux" makes it automatically secure.
It seems they still need to learn the lessons that Microsoft learned the hard way during the Windows XP SP2 timeframe. Seems they are also opting for the hard way.
if the package is a constant source of CVEs, the problem should be fixed on distro level, like this one for example
- https://security.gentoo.org/glsa/201402-17:
"Resolution: Gentoo has discontinued support for Xpdf. We recommend that users unmerge Xpdf"
Why am I not surprised? The Gnome developers seem to be hell-bent on breaking stuff and generally re-implementing things badly that were already solved problems. Instead of them wasting time removing features/functionality to dumb things down, perhaps they should spend more time on bug-fixing, reviewing security, and not doing dumb stuff like this example.
It's not an integral part of Gnome. It's part of the WINE package that WINE installs into Gnome to give you Windows compatible icons. From what I can see, if you don't ever install WINE, you shouldn't have it.
Also, a quick Google of the name also mentions it with respect to XFCE and Mint. It's quite possible that it is not limited to Gnome. There may also be other equivalent versions for other desktops which you may have if you ever installed WINE.
Kudos to the WINE people for their successful emulation of yet another Windows "feature".
...if you can create arbitrary files, you can have all sorts of fun with a Linux environment (even if only in the current user's context).
The first and most obvious thing to do with this is try to gain root and have some real fun.
Arbitrary files equals arbitrary commands leads to eventual pwnage.
Yes you'd think that's in the "do not stick your fingers in an electric socket as it may harm you" grade of stupid warnings that don't need to be issued.
Except apparently it's not.
Or for the slightly more professional.
If you don't understand a language spec fully you should not try constructing a parser for that language, because you will probably f**k it up.
A year or two ago, I wrote a comedy comment about gadgets Seeing Code, Running Code.
E.g. Malicious software being spray painted onto the sidewalk, and passing smartphones immediately seeing it in their field of view, capturing it, OCR'ing it, compiling it, and of course executing it.
"CODE! MUST. RUN. CODE. Look Code !! GRAB CODE, RUN CODE."
I was just kidding. Please stop.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
