[Bug 53356] SECURITY RISK installing WineHQ and missing STABLE build on Ubuntu 22.04

WineHQ Bugzilla wine-bugs at winehq.org
Sun Jul 17 15:56:55 CDT 2022 

https://bugs.winehq.org/show_bug.cgi?id=53356

Olivier F. R. Dierick <o.dierick at piezo-forte.be> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|-unknown                    |www-unknown
            Product|Wine                        |WineHQ.org
            Version|7.0                         |unspecified
                 CC|                            |dimesio at earthlink.net

--- Comment #8 from Olivier F. R. Dierick <o.dierick at piezo-forte.be> ---
Hello,

(In reply to Ulf Zibis from comment #5)
> Malicious software, without needing root privileges, could modify the files:
> - /usr/share/keyrings/winehq-archive.key
> - /etc/apt/sources.list.d/winehq-jammy.sources
> Then, as the result of the next automatic update, the original WineHQ
> binaries could be replaced by malicious binaries.

I agree that this is a valid security risk. Malicious software can't use sudo
by themselves so changing the owner to root will prevent this.

> Why not do it correct in the first place, than hoping for the user to
> correct the owner and rights with chowm and chmod?

The wiki cannot do anything more than provide instructions, hoping that the
users will follow them and understand what they are doing.

I think that it's better to put the change of ownership in a separate command
in the wiki instructions, to bring the security concern to the attention of the
user.

(In reply to Ulf Zibis from comment #7)
> The recommended locations for keyrings are /usr/share/keyrings for keyrings
> managed by packages, and /etc/apt/keyrings for keyrings managed by the
> system operator.

Older versions of apt (such as the one provided by Debian 8 - apt 1.0.9.8.6)
didn't support /etc/apt/keyrings. It's recommended since apt 2.4. I think the
wiki instructions are older than that.

A note could be added for apt >=2.4.

I must say that I don't have permission to edit the wiki since I never did it
before.

I'm adding Rosanne DiMesio to this bug.

Regards.

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list