http://bugs.winehq.org/show_bug.cgi?id=25537 Andrew Nguyen <arethusa26(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|wineserver |-unknown Severity|critical |normal --- Comment #1 from Andrew Nguyen <arethusa26(a)gmail.com> 2010-12-16 15:00:01 CST --- (In reply to comment #0)
Probably since 1.3.8 or 1.3.9 any Windows application can open (read/write/list/erase) any files in / (root) regardless user defined disk devices (under ~/.wine/dosdevices).
I can't reproduce this behavior for normal Win32 file accesses with a clean Wine prefix after running winetricks sandbox, which removes the z: symlink and a few others.
It's a huge security issue, because in the past you could erase z: -> / symbolic link and safely run any software (including malware).
Removing the z: symlink provides only illusory security benefits, as http://wiki.winehq.org/FAQ#head-3cb8f054b33a63be30f98a1b6225d74e305a0459 discusses.
This security measure has been removed without any explanations how to harden your Wine PREFIX.
-- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.