Symlink vulnerability in winetricks

Stefan Nordhausen nordhaus at informatik.hu-berlin.de
Tue Dec 23 11:06:43 CST 2008


Hi!

Winetricks has a symlink vulnerability, it does

(echo "$title"; echo ""; echo "$text") > /tmp/x_showmenu.txt

An attacker can exploit this by creating a symlink called 
/tmp/x_showmenu.txt and have it point to some file that a winetricks 
user can write (e.g. ~/Documents/important_stuff.odf). Winetricks will 
then overwrite that file with its data.

To solve this, apply the following patch that simply avoids the creation 
of a temporary file:

--- winetricks  2008-12-18 06:34:42.000000000 +0100
+++ winetricks  2008-12-23 18:00:17.000000000 +0100
@@ -207,8 +207,8 @@
          args="$args,$1"
          shift
      done
-    (echo "$title"; echo ""; echo "$text") > /tmp/x_showmenu.txt
-    xmessage -print -file /tmp/x_showmenu.txt -buttons "Cancel,$args" | 
sed 's/Cancel//'
+    (echo "$title"; echo ""; echo "$text") | \
+    xmessage -print -file - -buttons "Cancel,$args" | sed 's/Cancel//'
  }

  showmenu()


Merry Christmas
Stefan



More information about the wine-devel mailing list