[Bug 53356] SECURITY RISK installing WineHQ and missing STABLE build on Ubuntu 22.04
WineHQ Bugzilla
wine-bugs at winehq.org
Sun Jul 17 06:58:45 CDT 2022
https://bugs.winehq.org/show_bug.cgi?id=53356
--- Comment #5 from Ulf Zibis <Ulf.Zibis at gmx.de> ---
Malicious software, without needing root privileges, could modify the files:
- /usr/share/keyrings/winehq-archive.key
- /etc/apt/sources.list.d/winehq-jammy.sources
Then, as the result of the next automatic update, the original WineHQ binaries
could be replaced by malicious binaries.
Why do we use security keys at all, when they are not secure from modification?
Why not do it correct in the first place, than hoping for the user to correct
the owner and rights with chowm and chmod?
Anyway, it does not make sense to have user owned files in root owned
directories, so all files in /etc/apt/sources.list.d/ and /usr/share/keyrings/
should be:
root root rw-r--r--
and not:
user user rw-rw-r--
> "That doesn't prevent the user with sudo privilege to change the files any way they want."
But it prevents users WITHOUT sudo privilege to do that.
On multi-user systems, normal users do not have such privileges for a good
reason.
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list