Bug#971759: wine: Buffer overflow in fixes/temporary-directory.patch
Package: wine
Version: 5.0-4
Severity: important
Hello.
Recently we hit a buffer overflow in wine_5.0-4.
There is was a mkdir error while creating "/run/$UID! /wine" dir
when running winecfg. The error was produced by wineserver32.
Take a look to strange "! " part after $UID - this looks like missing
\0 symbol in C char*.
Our $UIDs are produced by sssd which is joined to Active Directory domain.
$UID length is 10 chars.
I looked to "fixes/temporary-directory.patch" and found wrong usage of sizeof().
Patch attached for "debian/5.0-4" tag (bullseye branch).
It's also available at salsa [1] however MRs are disabled for wine-team/wine
project so I was unable to submit it.
[1] https://salsa.debian.org/nE0sIghT-guest/wine/-/commit/7867f27a582b3665844efcadc8003253ddebff9d
>From 7867f27a582b3665844efcadc8003253ddebff9d Mon Sep 17 00:00:00 2001
From: Yuri Konotopov <ykonotopov@gnome.org>
Date: Mon, 5 Oct 2020 21:47:00 +0400
Subject: [PATCH] Fix buffer overflow in fixes/temporary-directory.patch
Signed-off-by: Yuri Konotopov <ykonotopov@gnome.org>
---
.../patches/fixes/temporary-directory.patch | 22 +++++++++++--------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/debian/patches/fixes/temporary-directory.patch b/debian/patches/fixes/temporary-directory.patch
index 358ae18709..d7a48b3d5f 100644
--- a/debian/patches/fixes/temporary-directory.patch
+++ b/debian/patches/fixes/temporary-directory.patch
@@ -4,8 +4,10 @@ bug-debian: https://bugs.debian.org/903622
bug-debian: https://bugs.debian.org/904041
bug-upstream: https://bugs.winehq.org/show_bug.cgi?id=39013
---- a/libs/wine/config.c
-+++ b/libs/wine/config.c
+Index: wine/libs/wine/config.c
+===================================================================
+--- wine.orig/libs/wine/config.c
++++ wine/libs/wine/config.c
@@ -25,6 +25,7 @@
#include <stdarg.h>
#include <stdlib.h>
@@ -63,8 +65,8 @@ bug-upstream: https://bugs.winehq.org/show_bug.cgi?id=39013
+ }
+ else
+ {
-+ const char *tmp_default = "/tmp";
-+ tmp_dir = xmalloc( sizeof(tmp_default) + 1 );
++ const char tmp_default[] = "/tmp";
++ tmp_dir = xmalloc( sizeof(tmp_default) );
+ strcpy( tmp_dir, tmp_default );
+ }
+
@@ -138,8 +140,10 @@ bug-upstream: https://bugs.winehq.org/show_bug.cgi?id=39013
server_dir = xmalloc( strlen(root) + sizeof(server_dir_prefix) + 2*sizeof(dev) + 2*sizeof(ino) + 2 );
strcpy( server_dir, root );
---- a/server/request.c
-+++ b/server/request.c
+Index: wine/server/request.c
+===================================================================
+--- wine.orig/server/request.c
++++ wine/server/request.c
@@ -21,6 +21,7 @@
#include "config.h"
#include "wine/port.h"
@@ -166,7 +170,7 @@ bug-upstream: https://bugs.winehq.org/show_bug.cgi?id=39013
/* create the server directory and chdir to it */
static char *create_server_dir( int force )
{
-+ const char *server_root_prefix = "/run/user";
++ const char server_root_prefix[] = "/run/user";
const char *prefix = getenv( "WINEPREFIX" );
- char *p, *config_dir;
+ char *p, *config_dir, *run_dir;
@@ -181,13 +185,13 @@ bug-upstream: https://bugs.winehq.org/show_bug.cgi?id=39013
- if (!(server_dir = malloc( len ))) fatal_error( "out of memory\n" );
- sprintf( server_dir, "/tmp/.wine-%u", getuid() );
+ /* use /run/user/$uid as wineserver's tmpdir by default */
-+ if (!(run_dir = malloc( sizeof(server_root_prefix) + 12 )))
++ if (!(run_dir = malloc( sizeof(server_root_prefix) + 13 )))
+ fatal_error( "out of memory\n" );
+ sprintf( run_dir, "%s/%u", server_root_prefix, getuid() );
+
+ if (opendir( run_dir )) /* use /run as the temporary directory */
+ {
-+ len += sizeof(server_root_prefix) + 17;
++ len += strlen(run_dir) + 6;
+ if (!(server_dir = malloc( len )))
+ fatal_error( "out of memory\n" );
+ sprintf( server_dir, "%s/wine", run_dir );
--
GitLab
Reply to: