Fwd: A basic implementation for increased security in wine proposal
Guillaume SH
gsh.debianlists at gmail.com
Sun Feb 1 04:46:59 CST 2009
---------- Forwarded message ----------
From: Guillaume SH <gsh.debianlists at gmail.com>
Date: 2009/2/1
Subject: Re: A basic implementation for increased security in wine proposal
To: Marcus Meissner <marcus at jet.franken.de>
Hi Marcus,
I stand corrected, as it appears I was way too naive in my understanding of
software security, hence the example I provided.
Regarding you explanation justifying there is no need to protect API against
misuse, I am still not convinced, but I will think about it and try to get
to a thorough understanding.
Thank you for clarifying,
Guillaume
2009/2/1 Marcus Meissner <marcus at jet.franken.de>
> On Sun, Feb 01, 2009 at 10:41:25AM +0100, Guillaume SH wrote:
>
> > Hi Paul,
> >
> > You asked me to actually describe the security I am concerned about, so I
> am
> > going for it :
> >
> > Imagine an ill-intentioned people, call it the attackers. By the mean of
> > simply creating the following C application (based on classical "Hello
> > word") :
> >
> >
> > #include needed header
> >
> > int main (int argc, char * argv[])
> > {
> > /* printf ( "Hello world!" ); */
> > GetOverlappedResult(0, NULL, NULL, FALSE);
> >
> > return EXIT_SUCCESS;
> > }
> >
> >
> > Running this application on wine, I get to have my crash, with the
> > possibility of an exploit. So all I have to do know is to find a vector
> to
> > make you and some other people willing to run my application.
> >
> > I won't describe in detail the way to perform the exploit as :
> > 1 - I don't know how to proceed and I don't want to
> > 2 - It would be showing poor sense of responsibilities
>
> If you can run an application ... it already can do everything!
>
> No need to protect APIs against misuse, they run at the same privilege
> level as your code.
>
> Ciao, Marcus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winehq.org/pipermail/wine-devel/attachments/20090201/b1272560/attachment-0001.htm
More information about the wine-devel
mailing list