(CVE-2019-11461) Incomplete fix for CVE-2017-5226
Nautilus is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2019-10063 because it has bundled a vulnerable version of gnome-desktop-thumbnail-script.c, see gnome-desktop#112 (closed) for details.
Note it's probably a really bad idea to bundle security-critical code like this; it's just luck that I noticed nautilus had copied it when doing a Debian codesearch, I doubt you'd have noticed otherwise....
Edited by Michael Catanzaro