Package: xwine
Version: 1.0.1-1.1
Severity: grave
Justification: user security hole
Tags: security
*** Please type your report below this line ***
I'd urge for the removal of this package from Lenny/Sid because
of bug 460783 + this one...
xwine contains two flaws:
1. Insecure use of temporary files.
2. Broken permissions on /etc/wine/config
Printing uses the static file '/tmp/temporaire' for spooling into
with no sanity checks, then this:
./w_editeur.c: system("cat /tmp/temporaire | lp &");
./w_editeur.c: system("rm -f /tmp/temporaire");
The second issue is more interesting. The global wine configuration
file is abused thusly:
./w_export.c: system("cp -f ~/.wine/config /etc/wine/");
./w_export.c: system("chmod 666 /etc/wine/config");
I guess for this to work the program must be started by root,
but if the permissions are 0666 then any user may edit the file
and cause DOS for local users. I'm not horribly familiar with
Window configuration, but it does seem like you could cause
arbitrary code to run when a local user invokes wine, and prints,
via a configuration file like this:
/etc/wine/config:
[spooler]
"FILE:" = "tmp.ps"
"LPT1:" = "|/tmp/bogus-spooler.lpr"
Mitigating circumstances are that these days Wine ignores
/etc/wine/config & ~/.wine/config. Instead this information
is stored in the wine registry which actually renders this package
pointless for etch+
Steve
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.18-4-xen-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
