On Mon, 18 May 2026 22:01:16 -0400 Aaron Rainbolt <[email protected]> wrote:
... snip ... > If all applications followed the xdg-mime manpage's advice to never > execute code when opening a file, this wouldn't be that big of a > problem. This is where Wine comes in; it ships a desktop file that > registers Wine as a MIME handler for > 'application/x-ms-dos-executable', 'application/x-msi', and > 'application/x-bat'. [3] These handlers result in the command 'wine > start /unix FILE-NAME' being run, which of course loads the > executable code from the opened file into memory and starts running > it. That means, if you are unlucky enough to have an unsandboxed copy > of Wine as your only MIME handler for EXE files, any flatpak on your > system can break out of the sandbox by writing an EXE file somewhere, > then opening it with org.freedesktop.portal.OpenURI.OpenFile. This > issue has been reported to Wine a short while ago [4]; I didn't > report the issue privately since I couldn't find a security contact > for Wine and was encouraged to make a public bug report when I asked > for a security contact on IRC some time back. (I was also given an > email where I could privately contact someone, but I no longer have > it, and I was somewhat discouraged from using it when I initially > asked.) CVE-2026-48831 has been assigned for this. [1] -- Aaron [1] https://www.cve.org/CVERecord?id=CVE-2026-48831
pgpNo1tc0zY1i.pgp
Description: OpenPGP digital signature
