About Wine Security

[Pierre Schweitzer]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear all,

I'm coming to you after a short discussion with Alexandre on this topic.

Wine gets more and more used, in various ways: either directly by
users, or because it gets shipped in various form. It can packaged in
a distribution, forked to suit a project needs (thinking about
pipelight), or even shipped along with software to save native portage
costs. Not to say that it's core of the ReactOS operating system itself.

But as any other software, Wine can present security vulnerabilities.
MITRE exposes some of the code defects pattern (known as CWE) that can
lead to potential exploitation and thus to security vulnerabilities
[1]. When such defect is found and looks potentially exploitable
(either because a crash was reported, or because it directly deals
with callers data), a vulnerability ID (CVE) can be assigned by MITRE
to reference the potential security vulnerability and make it known to
people using it.

Some of them (buffer overflow, overrun, double-free, use-after-free,
and so on) are sometimes found and fixed in Wine without further
consideration regarding what it would imply for real Wine (mis-)usage.
Even if no Proof of Concept is available at the time when the commit
is made, it doesn't mean it cannot be exploited later on. With such
exploits, it generally means that the attacker can target a Linux OS
through a crafted PE binary.

What I'm proposing here is that I start requesting CVE-ID for these
findings when I find them in the commit logs of Wine and that they
look exploitable. My hope is that it would allow distributions to
repackage Wine taking care of these issues, but also to make people
shipping Wine aware that the Wine they are shipping is likely
vulnerable. This proposal it though limited in space & time: I
wouldn't only do it starting in 2015 (I don't believe going backwards
would make that much sense) and for 1.7 branch which is, I believe,
the most used.

I'm looking for your feedback on my proposal and how you believe such
vulnerabilities in Wine can affect the host Linux (or Mac).
This wouldn't involve more work on your side (excepted if I ask for
more details to make sure I'm right in my analysis of the issue).

With my best regards,

[1]: https://cwe.mitre.org/
- -- 
Pierre Schweitzer <pierre at reactos.org>
System & Network Administrator
Senior Kernel Developer
ReactOS Deutschland e.V.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUrVTCAAoJEHVFVWw9WFsLPDgQAILhixxtba3y2qadCl+2dBWg
1v2qjsUouAJe7vq28tx63MNK0Tm6ykHB66SJuWWUTMwYAHIz+Uzr2PJMHCq0aZs+
dnGo4sTycEkuMNVC/i9zijJtCd7/r5v+VJBQNji1lVhwY+ZLsA8mlp+UKb9fjos6
wwMk+5lCsiqvPubKvVZ8qfXKD2xEBkjWu15JmivR6ZhaNm5vDXmNxtqVT590JowW
WWmcn6GiWMQQgAj6CLzG9d8qaHiJiuNmHi0BtUPZ8e+9hfcl76DBMiy1L8M3PM0f
1YRWF1NMOTQOr6nqxuviPL5eO7DKUmsiNVK1KGnNXMbjf/8EwL03VobAFaPu0X55
6v3jcNdBq9NCcRpkzUVksSMOSlzj4S8lvLEFYY8mWYW/o3TfmdTbLqeO7UIVJJiP
lx1Pth7WA03wqzvhm5+/sIavkDDn3Z6/TY9k0BVHzq3VahUx6TP59mYPjI9jUvwA
/0HoCCaD6AcGnDf8fsTNkLgqtqD6s3iOMra0mpH7nUQoTUds82ehZXRJ4viWsHxj
c0mfAy/3ct8uMZAbVwjnahrk/RrF6DzI3eKh/LI5l5rQ9COgPwE2Ij2IWnPRK2zv
XJbG161RRQwZSSU8TeBr2I/OxxQ+VE2Z0E4xSZY4tjYhdk/i9Y32J9w68qquISlF
4wtw5d9I9DFwvxq/AnBV
=auVK
-----END PGP SIGNATURE-----