-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 07/01/2015 22:25, Vincent Povirk wrote:
On Wed, Jan 7, 2015 at 2:56 PM, Pierre Schweitzer pierre@reactos.org wrote:
Likely my 'crafted' word was poorly chosen. Here, I refer to a binary designed to exploit the flaws in Wine, as it would be designed to exploit flaws in any library. The user excepts to run a sane binary, whereas said binary will actually use its running context to corrupt memory, attempt to cause a denial of service in Wine, and so on. As for any other exploit (be it for a lib or another tool).
Typically, flaws in a library don't allow a program using the library to do anything it couldn't do without access to that flaw. The exception would be something like polkit which has privileged components compared to the software using it.
Depends. We can think about other scenario. Vulnerability in an API a network application is using, which allows leaking data over the network. Or to run another program remotely. Or bypass security checks and execute parts it shouldn't. Even if this doesn't elevate privileges, it can already harm. Not talking about crashing the whole Wine instance.
All of Wine's components run as a single user, so flaws in them cannot be exploited in this way.
I think we would be more worried about a scenario where a flaw in Wine creates vulnerabilities in programs running in Wine. An example would be if one of our image processing functions corrupted memory when given some invalid data. This could be demonstrated using a test program that reads an image using the Windows API, combined with crafted image data that exploits the flaw.
Yup, sorry, forgot to speak about that one, which is also often tracked. That can even go farther. Crafted images or input for a program can lead to severe damages, or running programs (cf: CVE-2014-7209).
The test program does not have to be designed to exploit a flaw, in fact the problem is that it was designed to do something sane (read and display an image), but an attacker supplying the image file can make it do something else.
(Sorry if you already know all this, it's unclear based on what you've said.)
Thanks for it. I would have totally forgotten to speak about it otherwise!
Cheers, - -- Pierre Schweitzer <pierre at reactos.org> System & Network Administrator Senior Kernel Developer ReactOS Deutschland e.V.