[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#816034: marked as done (wine32: insecure use of /tmp)

Your message dated Tue, 11 Dec 2018 03:06:32 +0000
with message-id <E1gWYNU-000GqI-Oq@fasolo.debian.org>
and subject line Bug#816034: fixed in wine 4.0~rc1-1
has caused the Debian Bug report #816034,
regarding wine32: insecure use of /tmp
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
816034: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816034
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: wine32
Version: 1.8.1-2
Tags: security
wine uses /tmp/.wine-$UID as a directory for sockets and lock files. This is insecure. Malicious local user could create /tmp/.wine-$UID for another user's uid, preventing the other user from using wine.
Moreover, the server_connect() function doesn't check if /tmp/.wine-$UID or its subdirectories are symlinks, so in some circumstances it might be possible to trick wine to connect to an unrelated socket. 


-- System Information:
Debian Release: stretch/sid
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 4.4.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages wine32 depends on:
ii  libc6         2.21-9
ii  libfreetype6  2.6.1-0.1
ii  libncurses5   6.0+20160213-1
ii  libwine       1.8.1-2
ii  x11-utils     7.7+3

Versions of packages wine32 recommends:
pn  libasound2-plugins  <none>
ii  libgl1-mesa-dri     11.1.2-1
ii  wine                1.8.1-2

--
Jakub Wilk

--- End Message ---
--- Begin Message --- 
Source: wine
Source-Version: 4.0~rc1-1

We believe that the bug you reported is fixed in the latest version of
wine, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 816034@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated wine package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 11 Dec 2018 01:42:16 +0000
Source: wine
Binary: wine wine32 wine64 wine32-preloader wine64-preloader wine32-tools wine64-tools libwine libwine-dev wine-binfmt fonts-wine
Architecture: source
Version: 4.0~rc1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Wine Party <debian-wine@lists.debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description:
 fonts-wine - Windows API implementation - fonts
 libwine    - Windows API implementation - library
 libwine-dev - Windows API implementation - development files
 wine       - Windows API implementation - standard suite
 wine-binfmt - Windows API implementation - binfmt support
 wine32     - Windows API implementation - 32-bit binary loader
 wine32-preloader - Windows API implementation - prelinked 32-bit binary loader
 wine32-tools - Windows API implementation - 32-bit developer tools
 wine64     - Windows API implementation - 64-bit binary loader
 wine64-preloader - Windows API implementation - prelinked 64-bit binary loader
 wine64-tools - Windows API implementation - 64-bit developer tools
Closes: 816034
Changes:
 wine (4.0~rc1-1) unstable; urgency=medium
 .
   * New upstream release 4.0-rc1, released Dec 7, 2018.
     - Updates to the timezone database.
     - Vulkan support updated to the latest spec.
     - Stream I/O support in WebServices.
     - Better palette support in WindowsCodecs.
     - Synchronization objects support for kernel drivers.
     - Various bug fixes.
   * Switch to the stable branch.
     - Safer temporary directory handling (closes: #816034).
Checksums-Sha1:
 2e4bacc7deebf9bda3fe02c175cf7b362632d007 4582 wine_4.0~rc1-1.dsc
 9be5cc9d352008ec437abe5bee3ef205b1cd900e 19849028 wine_4.0~rc1.orig.tar.xz
 a23162665ade128113aec05cb313efef281350de 191628 wine_4.0~rc1-1.debian.tar.xz
 3d44569bfa358f7ccb47c5ba478eaaee8311f5c2 19154 wine_4.0~rc1-1_source.buildinfo
Checksums-Sha256:
 e1b11c1c7912994f2fd9b117dbd3283df651fc1f22bc72ac1b3491cae24aaedc 4582 wine_4.0~rc1-1.dsc
 119568ee91fe615a85d80922941a6add3cb87e86ec594dbbadcbc4f1343f9ce7 19849028 wine_4.0~rc1.orig.tar.xz
 81169b8b60668bb97c4e454ed90f1474f8afc8cbef6bf1365b7c49749c0c642a 191628 wine_4.0~rc1-1.debian.tar.xz
 123e44265d95434d42005bded464f4d6f8734d098f3a08ed5018e1f3b51728a7 19154 wine_4.0~rc1-1_source.buildinfo
Files:
 adfa8190336a1c2ba0a93c68a38be71c 4582 otherosfs optional wine_4.0~rc1-1.dsc
 65fb00a36eba777f2509d31244caa0a3 19849028 otherosfs optional wine_4.0~rc1.orig.tar.xz
 e9eda63c14a7d3d2c6df41f70c2e3239 191628 otherosfs optional wine_4.0~rc1-1.debian.tar.xz
 c4e59945f5907b94088dae7f5690b92b 19154 otherosfs optional wine_4.0~rc1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQQzBAEBCgAdFiEEluhy7ASCBulP9FUWuNayzQLW9HMFAlwPJkYACgkQuNayzQLW
9HMx6x//QufsiwJVihgZOBYFKdsh+RTP5GCfMCNmu7dy67Jcbc9itjVMEaz1Wfy1
ixF4N4Tbnhy2efJWpYbPvTmcuEKiMOLpk1UrUo07+iHI5KOvj/hVg869Withm0A2
5Bkawu0bFxcXdTL+S8hcL8qoX9NdfNzbe/dbOIzSBLqxKRJHxbrIKcdKlE4Qi3oH
pDNF8WqGFFmofQ0iUQxqdLYjlOrnUd+izyEnlo+RAcTPKYLI0+Lm5nrRDARE704I
qRlFrSUq8kJQn/PPhKU/SGRtKYu7rxljsWENr7pFzT9A1sjX4vXnod67ChL8IdVA
wIN/dc4s8JIXRi8Jw5V4hbwJd4dBV/JTLshhWx3dsva+xquxNbleA3chtZ9QGdAi
xcLOkBurRb3YODzvV67VerKMzMkh/ZgTsvgkh6aPgbW/5NzYtCd8Hfsohwx+Rq0B
nwktT+bkDmPXKnmfUqhxCq6IBjEA3o6ZsAaBcLJI0u5jYPQLNK8SCRh2d6G2nJ11
Pro57QA2ghk76OB/Gefdt1C5ST0d8qLE4td70BBcyQPJ/wDRzPlCJiBjXUohJikE
2fx5VDejsgOTFduGufK4IqhAo7Atzwp3zPVQOh5ug3mKoiTTrXISc7j2PhgQhSrp
/ZaEZTM498Ab/OS+K7yop56TAq0WahJsu8Z+RwJqVBVQh8zVCjJySvP1mF74kYsU
cZ6xxBoudMIgsiLNemXeGwtt4eMDTo6Skobqy/be7Qsloslr6C4UW5SifFuiVe4C
OzMmb9o58OIgg1vbCpK+S5hjzo1FbowWxrWtgHsKd72HEwInXJ8GGARxiD5TGVZr
urz6UMlM+x1ui4EjDlAVUnXx+qrTPxuuAP0dePk4Onrr3Fs5iwcWu6C4NsPZHYbu
Ugxi/9klZcxts132HRs6fyWrjeAJrkAChbEYRtHO/BLb56G0D5V8lHyYb7hYjkg+
dr5Z+8RWFyAbBrTIr2Vr0EqtTCzvkJVTr72X7PvkMB2k1Kho56Nf0Eh1t2Bg+DzS
SYWYyMR3YHRpOUtVXT1IWA20oeIAPlRoZF1FrU+yBmsqfCIU1QsIw2ytu4T+vnuu
oJxJ5Z0YPgnztTwyK3UxQvTscY9lDcsGp8bf1YYDBvpj8h0FDqglcLwJXqD7QbDW
VBNq+BroRV5y5Xapvz+qQXWoyIftqlxUGcoy1EPCeMklORUFttBEMxYKdxRQ0Ckh
BOBY79+BBhVKaXpSvOyuZHnh+3ODnjJaDQ8wKyB+BYL3o87XGC2zaVes655OfTHG
HmBGby8OjG8uPaPkg/g602FdCXYC+lf7PX5XL9r/+F6Xqcd4Qe32EhistgDt2kY/
ZszWvOKpuV/AM+MF9tqBecV+b7eB6A==
=ed1+
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: