Debian Bug report logs - #468050
Security problems present in xwine

version graph

Package: xwine; Maintainer for xwine is (unknown);

Reported by: Steve Kemp <skx@debian.org>

Date: Tue, 26 Feb 2008 19:36:01 UTC

Severity: grave

Tags: security

Found in version xwine/1.0.1-1.1

Fixed in version 1.0.1-1.1+rm

Done: Marco Rodrigues <gothicx@sapo.pt>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Aurelien Labrosse <aurelien.labrosse@free.fr>:
Bug#468050; Package xwine. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
New Bug report received and forwarded. Copy sent to Aurelien Labrosse <aurelien.labrosse@free.fr>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: submit@bugs.debian.org
Subject: Security problems present in xwine
Date: Tue, 26 Feb 2008 19:33:42 +0000
Package: xwine
Version: 1.0.1-1.1
Severity: grave
Justification: user security hole
Tags: security

*** Please type your report below this line ***

  I'd urge for the removal of this package from Lenny/Sid because
 of bug 460783 + this one...

  xwine contains two flaws:

   1.  Insecure use of temporary files.
   2.  Broken permissions on /etc/wine/config

  Printing uses the static file '/tmp/temporaire' for spooling into
 with no sanity checks, then this:
  ./w_editeur.c:          system("cat /tmp/temporaire | lp &");
  ./w_editeur.c:          system("rm -f /tmp/temporaire");

  The second issue is more interesting.  The global wine configuration
 file is abused thusly:

 ./w_export.c:      system("cp -f ~/.wine/config /etc/wine/");
 ./w_export.c:      system("chmod 666 /etc/wine/config");

  I guess for this to work the program must be started by root,
 but if the permissions are 0666 then any user may edit the file
 and cause DOS for local users.  I'm not horribly familiar with
 Window configuration, but it does seem like you could cause
 arbitrary code to run when a local user invokes wine, and prints,
 via a configuration file like this:

 /etc/wine/config:
 [spooler]
 "FILE:" = "tmp.ps"
 "LPT1:" = "|/tmp/bogus-spooler.lpr"

  Mitigating circumstances are that these days Wine ignores
 /etc/wine/config & ~/.wine/config.  Instead this information
 is stored in the wine registry which actually renders this package
 pointless for etch+

Steve
-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.18-4-xen-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash




Bug 468050 cloned as bug 469997. Request was from madcoder@madism.org (Pierre Habouzit) to control@bugs.debian.org. (Sat, 08 Mar 2008 15:57:07 GMT) Full text and rfc822 format available.

Reply sent to Marco Rodrigues <gothicx@sapo.pt>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Steve Kemp <skx@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #12 received at 468050-done@bugs.debian.org (full text, mbox):

From: Marco Rodrigues <gothicx@sapo.pt>
To: 468050-done@bugs.debian.org
Subject: xwine has been removed from Debian, closing #468050
Date: Fri, 25 Apr 2008 22:23:45 +0100
Version: 1.0.1-1.1+rm

The xwine package has been removed from Debian testing, unstable and
experimental, so I am now closing the bugs that were still opened
against it.

For more information about this package's removal, read
http://bugs.debian.org/468398 . That bug might give the reasons why
this package was removed, and suggestions of possible replacements.

Don't hesitate to reply to this mail if you have any question.

Thank you for your contribution to Debian.

--
Marco Rodrigues
http://Marco.Tondela.org




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Aug 2008 07:32:05 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 21:28:44 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.