Acknowledgement sent to Steve Kemp <skx@debian.org>:
New Bug report received and forwarded. Copy sent to Aurelien Labrosse <aurelien.labrosse@free.fr>.
(full text, mbox, link).
Package: xwine
Version: 1.0.1-1.1
Severity: grave
Justification: user security hole
Tags: security
*** Please type your report below this line ***
I'd urge for the removal of this package from Lenny/Sid because
of bug 460783 + this one...
xwine contains two flaws:
1. Insecure use of temporary files.
2. Broken permissions on /etc/wine/config
Printing uses the static file '/tmp/temporaire' for spooling into
with no sanity checks, then this:
./w_editeur.c: system("cat /tmp/temporaire | lp &");
./w_editeur.c: system("rm -f /tmp/temporaire");
The second issue is more interesting. The global wine configuration
file is abused thusly:
./w_export.c: system("cp -f ~/.wine/config /etc/wine/");
./w_export.c: system("chmod 666 /etc/wine/config");
I guess for this to work the program must be started by root,
but if the permissions are 0666 then any user may edit the file
and cause DOS for local users. I'm not horribly familiar with
Window configuration, but it does seem like you could cause
arbitrary code to run when a local user invokes wine, and prints,
via a configuration file like this:
/etc/wine/config:
[spooler]
"FILE:" = "tmp.ps"
"LPT1:" = "|/tmp/bogus-spooler.lpr"
Mitigating circumstances are that these days Wine ignores
/etc/wine/config & ~/.wine/config. Instead this information
is stored in the wine registry which actually renders this package
pointless for etch+
Steve
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.18-4-xen-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Bug 468050 cloned as bug 469997.
Request was from madcoder@madism.org (Pierre Habouzit)
to control@bugs.debian.org.
(Sat, 08 Mar 2008 15:57:07 GMT) (full text, mbox, link).
Reply sent to Marco Rodrigues <gothicx@sapo.pt>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Steve Kemp <skx@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Subject: xwine has been removed from Debian, closing #468050
Date: Fri, 25 Apr 2008 22:23:45 +0100
Version: 1.0.1-1.1+rm
The xwine package has been removed from Debian testing, unstable and
experimental, so I am now closing the bugs that were still opened
against it.
For more information about this package's removal, read
http://bugs.debian.org/468398 . That bug might give the reasons why
this package was removed, and suggestions of possible replacements.
Don't hesitate to reply to this mail if you have any question.
Thank you for your contribution to Debian.
--
Marco Rodrigues
http://Marco.Tondela.org
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Aug 2008 07:32:05 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.