[Bug 19732] Security: use CAP_SYS_RAWIO during start up to map the memory below mmap_min_addr instead of permanently lowering it at install time

wine-bugs at winehq.org wine-bugs at winehq.org
Mon Aug 17 04:38:24 CDT 2009


http://bugs.winehq.org/show_bug.cgi?id=19732





--- Comment #9 from Alexandre Julliard <julliard at winehq.org>  2009-08-17 04:38:23 ---
(In reply to comment #8)
> I thought the security of CAP_SYS_RAWIO rather than mmap_min_addr wasn't to
> make Wine more secure, but to make the system more secure when Wine isn't
> running.  The kernel bug above, for instance, was exploitable by non-wine
> programs if the user merely had Wine installed.

Yes, but it doesn't make much difference, because all you have to do is to wrap
the exploit in a DOS binary and run it with Wine. Either way, if Wine is
installed you can exploit the bug. Dropping the caps wouldn't really help
either, since you can't distinguish a malicious DOS app from a legitimate one.
The only way is to not support DOS apps at all.

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.



More information about the wine-bugs mailing list