Package: xwine Version: 1.0.1-1.1 Severity: grave Justification: user security hole Tags: security
*** Please type your report below this line *** I'd urge for the removal of this package from Lenny/Sid because of bug 460783 + this one... xwine contains two flaws: 1. Insecure use of temporary files. 2. Broken permissions on /etc/wine/config Printing uses the static file '/tmp/temporaire' for spooling into with no sanity checks, then this: ./w_editeur.c: system("cat /tmp/temporaire | lp &"); ./w_editeur.c: system("rm -f /tmp/temporaire"); The second issue is more interesting. The global wine configuration file is abused thusly: ./w_export.c: system("cp -f ~/.wine/config /etc/wine/"); ./w_export.c: system("chmod 666 /etc/wine/config"); I guess for this to work the program must be started by root, but if the permissions are 0666 then any user may edit the file and cause DOS for local users. I'm not horribly familiar with Window configuration, but it does seem like you could cause arbitrary code to run when a local user invokes wine, and prints, via a configuration file like this: /etc/wine/config: [spooler] "FILE:" = "tmp.ps" "LPT1:" = "|/tmp/bogus-spooler.lpr" Mitigating circumstances are that these days Wine ignores /etc/wine/config & ~/.wine/config. Instead this information is stored in the wine registry which actually renders this package pointless for etch+ Steve -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.18-4-xen-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]