-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/01/2015 22:25, Vincent Povirk wrote:
On Wed, Jan 7, 2015 at 2:56 PM, Pierre Schweitzer <pierre(a)reactos.org> wrote:
Likely my 'crafted' word was poorly chosen. Here, I refer to a binary designed to exploit the flaws in Wine, as it would be designed to exploit flaws in any library. The user excepts to run a sane binary, whereas said binary will actually use its running context to corrupt memory, attempt to cause a denial of service in Wine, and so on. As for any other exploit (be it for a lib or another tool).
Typically, flaws in a library don't allow a program using the library to do anything it couldn't do without access to that flaw. The exception would be something like polkit which has privileged components compared to the software using it.
Depends. We can think about other scenario. Vulnerability in an API a network application is using, which allows leaking data over the network. Or to run another program remotely. Or bypass security checks and execute parts it shouldn't. Even if this doesn't elevate privileges, it can already harm. Not talking about crashing the whole Wine instance.
All of Wine's components run as a single user, so flaws in them cannot be exploited in this way.
I think we would be more worried about a scenario where a flaw in Wine creates vulnerabilities in programs running in Wine. An example would be if one of our image processing functions corrupted memory when given some invalid data. This could be demonstrated using a test program that reads an image using the Windows API, combined with crafted image data that exploits the flaw.
Yup, sorry, forgot to speak about that one, which is also often tracked. That can even go farther. Crafted images or input for a program can lead to severe damages, or running programs (cf: CVE-2014-7209).
The test program does not have to be designed to exploit a flaw, in fact the problem is that it was designed to do something sane (read and display an image), but an attacker supplying the image file can make it do something else.
(Sorry if you already know all this, it's unclear based on what you've said.)
Thanks for it. I would have totally forgotten to speak about it otherwise! Cheers, - -- Pierre Schweitzer <pierre at reactos.org> System & Network Administrator Senior Kernel Developer ReactOS Deutschland e.V. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUrlEmAAoJEHVFVWw9WFsLJk4P/2HWr15ZK47K2EvDPUY6SMJm Y8icgSpX1Ms2YEWnqhA2QCKilQDgcdrUW56iHl6LLTIWESNL5BXbXYyxmJR1LXoD 0cT+dHpXscG8QQss4bA6PUP7zx7Il2gp/Ytf2/t/6hjESZ3lSXohskXBT/ET9iRN SLcfjU1RW/kBGPTCMfgkckx5OXHQmMQIXK/Vyddm6gBcKMA0FXBQdEOQpCy7tmre QniEPRvoRLDZhWllDAcWlMBvTcy/aYIBQeaMsbsLgWNRpMfQ13g+yPyhxTP5gNRw g0opsa/47XX5ehaWhA0QGQWOSsUvqaFQzXkIOhcZLz2/W98dAwb+e17M9ZTQ0h/I qmkC2vFe9pNOC274/LjfkZaHkM1fKDmgloi1RwueuxPbkoIBFnbRkbqpiHcuptAQ sH8YXm3vlY8ee9EfQiRm5cJMsys2DOkEKcfD7SDqqEv3KgG5KhR40qzgsgH0IjXZ TF72/sRnP9hQ+VkpwFYmiBcBYtOX/szUeebWC2f2vKfIds8MjDq3GZSt9h88bUFO bcc9eU8tk5oEtmWiYpL8RV9zL7CLkZcLJphDLBp3L3Yy/fIj8KSVQIZub55G+yf4 IYuDnHoA7lBbFkXV3Q3fkYQYyl/1+xRuJnxlv48UJjB+hld45NFbqqhA80b449Do Oi4ifPoGazTCZlBf7fxS =6xES -----END PGP SIGNATURE-----