Bug#903622: marked as done (wine32: insecure use of /tmp)

[Debian Bug Tracking System]

Your message dated Thu, 12 Jul 2018 06:19:58 +0000
with message-id <e1fduxk-000ai3...@fasolo.debian.org>
and subject line Bug#903622: fixed in wine-development 3.12-2
has caused the Debian Bug report #903622,
regarding wine32: insecure use of /tmp
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
903622: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903622
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: wine32
Version: 1.8.1-2
Tags: security

wine uses /tmp/.wine-$UID as a directory for sockets and lock files. This is insecure. Malicious local user could create /tmp/.wine-$UID for another user's uid, preventing the other user from using wine.

Moreover, the server_connect() function doesn't check if /tmp/.wine-$UID or its subdirectories are symlinks, so in some circumstances it might be possible to trick wine to connect to an unrelated socket.

-- System Information:
Debian Release: stretch/sid
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 4.4.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages wine32 depends on:
ii  libc6         2.21-9
ii  libfreetype6  2.6.1-0.1
ii  libncurses5   6.0+20160213-1
ii  libwine       1.8.1-2
ii  x11-utils     7.7+3

Versions of packages wine32 recommends:
pn  libasound2-plugins  <none>
ii  libgl1-mesa-dri     11.1.2-1
ii  wine                1.8.1-2

--
Jakub Wilk

--- End Message ---

--- Begin Message ---

Source: wine-development
Source-Version: 3.12-2

We believe that the bug you reported is fixed in the latest version of
wine-development, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 903...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilb...@debian.org> (supplier of updated wine-development 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 11 Jul 2018 07:50:41 +0000
Source: wine-development
Binary: wine-development wine32-development wine64-development 
wine32-development-preloader wine64-development-preloader 
wine32-development-tools wine64-development-tools libwine-development 
libwine-development-dev
Architecture: source
Version: 3.12-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Wine Party <debian-w...@lists.debian.org>
Changed-By: Michael Gilbert <mgilb...@debian.org>
Description:
 libwine-development - Windows API implementation - library
 libwine-development-dev - Windows API implementation - development files
 wine-development - Windows API implementation - standard suite
 wine32-development - Windows API implementation - 32-bit binary loader
 wine32-development-preloader - Windows API implementation - prelinked 32-bit 
binary loader
 wine32-development-tools - Windows API implementation - 32-bit developer tools
 wine64-development - Windows API implementation - 64-bit binary loader
 wine64-development-preloader - Windows API implementation - prelinked 64-bit 
binary loader
 wine64-development-tools - Windows API implementation - 64-bit developer tools
Closes: 903622
Changes:
 wine-development (3.12-2) unstable; urgency=medium
 .
   * Update standards version to 4.1.5 (no changes required).
   * Fix unused variable and function warnings caused by patches.
   * Use /run/user as a safer temporary directory (closes: #903622).
Checksums-Sha1:
 e6c83c0d058bdf4586ee35f4f3a79c35c54641f9 4755 wine-development_3.12-2.dsc
 8660117ccefce229123ab4aee3822e13f371054f 181140 
wine-development_3.12-2.debian.tar.xz
 8283751c68057adcce7b25aa523303df92d28f02 19690 
wine-development_3.12-2_source.buildinfo
Checksums-Sha256:
 293ffad7706e62803b4643a8ec9469929e7a913dda2cacf4401c1c12d7733626 4755 
wine-development_3.12-2.dsc
 f5f253b346eafbd79f9462f1acdd20fbb942c626e404cf49603b2982e8cb41bb 181140 
wine-development_3.12-2.debian.tar.xz
 9b26217c5c69815bedd5d021a23758adae44d354e0954b79365e3ebb45b4f86f 19690 
wine-development_3.12-2_source.buildinfo
Files:
 baac79fb324bd1e2ed77e07448bf5c2a 4755 otherosfs optional 
wine-development_3.12-2.dsc
 c6d7f63158396c5ffb8704365028c47c 181140 otherosfs optional 
wine-development_3.12-2.debian.tar.xz
 5eb20abba129f22d876597ede33d0781 19690 otherosfs optional 
wine-development_3.12-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQQzBAEBCgAdFiEEluhy7ASCBulP9FUWuNayzQLW9HMFAltG7qsACgkQuNayzQLW
9HOS4B//RntcT46iNw1tZuy/org5G0trTT5Lj39qA72A5vluUAQ6BtaHJ4fH9aMb
IG0NXZHmUFrQZ1ay04xrf2MqDYbRFxAssEJmFYzOWZ2Ausife1DMZ5lOWeU5Rs89
t+fn71DDRGgKUQFEir2wkL/x0smS+u/jkGKKQOJuL7E6+EPiV3ew0XuUyDcmfN6S
2NVakkwJKc8LQiWc0JaNBmcFBqCms8rSd+eJX0HRGEpLY4TbZ2g4O4uuakuQVu3R
7ubHIfP0Qluo7RoHSriboW9fxF/W6G3nyuMDqhai9hkWCkhimqQ7n7/mU4Cb8kTr
jMzo4G2EgL/2PXYPfZCzCCthQS7Tj0Y1BeT5w2bjY/f/EmakCnMrdtQJQW1yR7M3
42oAInlEE5vZmkzbLtLsPbnxQvS9Blr0JGUwFd3ZssZDOyV0bIBsG6gAlfuklAU1
jIzPUBMC/maesPncbjy2O8C0/5H122XcsFd79cjN4D8i6pDTK/QnpYOsiqfO/3I1
o0g3jIf01Siogmzxl8BI/rl7ziGRhja/ZatmOfIh81TNizQWAVwKMDTmipffpbfA
2Kf8b6ks9pUkHnRpWYuOfhLXXqUPutOtKmcI845Hb7u22voYJ1tVKPPCR7ZbcCJF
2/e+EMAde6W39YzaP6DnmVpd5VST14Zn4KXlSjpr1lEXI3mJpxSFfiJPaID42WSA
89i6qjqdX1OzUDpILD5X3fxta6g9ntMt7j0tbeSp0wT3Z31+EBnljm9TWaenN1PZ
x+CQbkA8O3SvhQxsj8VOH2t6qL4wQKs41D2Nsu1o1WrJZqUeGZjLfrDN1HzzjDf3
QPMgyxN4QauDO8f9U3H8r9wqE60L7/4mCt8WY5qGlmqRoiywdk78iRtOPWMyBIpj
tNiT/vWCYx23SPNupm/XmAt79jda8uyMw9LpXEA13zzLQhbuUtSkxxIm5ap0M8tA
o8uc73S1A324bq/qZx21p1afO8G78slsWliN3A6vLYuP3q4C0kbC/Uc828KfNM81
fxeZZmRJV/LKLE+i7n6C8CIRJl2zaeABXp+4T1lrKrNNp3NjLMXb4+L9FqG95wXk
YxuEoOLHsO3b/0c3YMdzkHbaJ22iqTXZ0TKZuJUE+SntjQXSN7aPBW2fSnoplxn8
DKBhMOdWYVk20SVpAXpqfD+i52mxHZuNiSly5UgLNhwV1Acb7D17LuHDO6gjgPxp
Fa2KfrQkQ9wURDxqZlTRSFEgO1bz0XyWQsu6kKeq29WB7II1gmjv96UiqANyfB/g
Re0uNLxHbnQaHBF55fmKRkQo/n6vARBXZ+NuY+2eeKcbZYm9HRSokJB4C9BthLGh
Q7FqXMKhXF+T1u2siG7ukObdTzr5Pg==
=DxS4
-----END PGP SIGNATURE-----

--- End Message ---