Possible security bug with unmount
Marcus Meissner
meissner at suse.de
Wed Mar 23 11:18:40 CDT 2016
On Wed, Mar 23, 2016 at 04:57:29PM +0100, Cédric Picard wrote:
> Hi,
>
> I find that DIR_unmount_device in wine/dlls/ntdll/directory.c (latest
> git) is looking like an unsafe use of system().
>
> If a device was mounted to a point such as ";ls" I think it would be
> passed to system and cause a command injection.
>
> I didn't open a bug because I wasn't able to really test it due to my
> lack of knowledge of wine and because I can't think of a real world
> attack based on this as it needs to mount a device first but I think
> it's worth at least a thorough check.
>
Question is how to reach it... It is determined out of
mount_point = get_device_mount_point ( st.st_rdev )
and not user supplied, but read out of mtab or /proc/mounts .
Ciao, Marcus
More information about the wine-devel
mailing list