New subject: Fwd: A basic implementation for increased security in wine proposal

1 Feb 2009

---------- Forwarded message ----------
From: Guillaume SH &lt;gsh.debianlists(a)gmail.com&gt;
Date: 2009/2/1
Subject: Re: A basic implementation for increased security in wine proposal
To: Marcus Meissner &lt;marcus(a)jet.franken.de&gt;

Hi Marcus,

I stand corrected, as it appears I was way too naive in my understanding of
software security, hence the example I provided.

Regarding you explanation justifying there is no need to protect API against
misuse, I am still not convinced, but I will think about it and try to get
to a thorough understanding.

Thank you for clarifying,
Guillaume

2009/2/1 Marcus Meissner &lt;marcus(a)jet.franken.de&gt;

...
  On Sun, Feb 01, 2009 at 10:41:25AM +0100, Guillaume SH
wrote:

  Hi Paul,

 You asked me to actually describe the security I am concerned about, so I  am
  going for it :

 Imagine an ill-intentioned people, call it the attackers. By the mean of
 simply creating the following C application (based on classical "Hello
 word") :

 #include needed header

 int main (int argc, char * argv[])
 {
     /* printf ( "Hello world!" ); */
     GetOverlappedResult(0, NULL, NULL, FALSE);

     return EXIT_SUCCESS;
 }

 Running this application on wine, I get to have my crash, with the
 possibility of an exploit. So all I have to do know is to find a vector  to
  make you and some other people willing to run my
application.

 I won't describe in detail the way to perform the exploit as :
       1 - I don't know how to proceed and I don't want to
       2 - It would be showing poor sense of responsibilities 
 If you can run an application ... it already can do everything!

 No need to protect APIs against misuse, they run at the same privilege
 level as your code.

 Ciao, Marcus