March 2023 - wine-gitlab

[PATCH 0/1] MR2472: CommandLineToArgvW: fixed vulnerability by incorrect parsing
by Sergey G. Brester (＠sebres) 23 Mar '23

23 Mar '23

### Merge request This fixes a vulnerability by incorrect parsing of command line arguments. The way how a triple quote chars (or double quote chars inside a quoted string) will be currently parsed in `CommandLineToArgvW` of wine is wrong, therefore opens an attack vector (using artificially created command line validated with different rules matching default parsing mechanism of Windows), so could be even considered as a vulnerability. ## Proposed changes `CommandLineToArgvW` will parse command line arguments correct and more similar to Windows. Here is the diff illustrating wrong behavior: ```diff ## # test is an alias for ## # python.exe -c "from sys import argv; del argv[0]; print(str(len(argv)) + ' | ' + ' | '.join(argv))" - # Wine + # Windows (and fixed variant) ## double in quoted string: > test "abc""def" ghi" xxx - 2 | abc"def ghi | xxx + 2 | abc"def | ghi xxx > test "abc"""def" ghi" xxx - 3 | abc"def | ghi" xxx + 2 | abc"def ghi | xxx ## triple in unquoted string: > test abc"""def" ghi" xxx - 2 | abc"def ghi | xxx + 2 | abc"def | ghi xxx > test abc""""def" ghi" xxx - 2 | abc"def | ghi xxx + 2 | abc"def ghi | xxx ``` As a consequence: - the arguments can be parsed incorrectly (compared to default behavior of Windows parser) in the way that parts of quoted arguments may become unquoted and vice versa, as well as swim between different args; - an attacker may create artificial command line that pass validation rules of nominal condition of Windows, but vulnerable here (inject, data steal, etc), because the arguments would deviate between validation and execution phase - special tokens like pipe `|`, ampersand `&` or redirecting tokens like `>` that normally included in quoted string (and validated as a string) could abrupt get different meaning and used for piping, redirecting etc, that beside the injection possibility opens still worse attacking vector that can even cause RCE or used to create persistent exploits. <details><summary>Here is the nominal condition how arguments will be parsed in Windows...</summary> cmd line|arg1|arg2 ---|---|--- abc" "def|abc def| abc\\" \\"def|abc"|"def "abc\\" \\"def"|abc" "def| "abc"" ""def"|abc" "def| abc"" ""def|abc|def abc""" """def|abc" "def| abc\\""" \\"""def|abc"|"def abc\\\\""" \\\\"""def|abc\\" \\"def "abc"""def" ghi"|abc"def ghi| "abc"""def" ghi * missing close qoute at end|abc"def ghi| "abc""def" ghi|abc"def|ghi "abc\\"""def" ghi|abc""def|ghi "abc\\\\"""def" ghi"|abc\\"def ghi| "abc\\\\\\"""def" ghi|abc\\""def|ghi "abc\\\\\\\\"""def" ghi"|abc\\\\"def ghi| </details> For PoC one could use any lang like tcl, python, etc, or even a self-written executable getting the argc/argv from main. The above diff and nominal condition was generated using this python script on Windows box: ```python from sys import argv; del argv[0]; print(str(len(argv)) + ' | ' + ' | '.join(argv)) ``` ## References [Related PR](https://github.com/reactos/reactos/pull/5186) with fix for ReactOS. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/2472

3 6

[PATCH 0/7] MR2476: winewayland.drv: part 2: Display configuration enhancements
by Alexandros Frantzis (＠afrantzis) 23 Mar '23

23 Mar '23

This second MR in the Wayland series adds display configuration related enhancements, including providing more display information (like a proper/consistent name and position) to Wine and implementing GetCurrentDisplaySettings. To get additional information from the Wayland compositor we need to use a protocol from the wayland-protocols collection, so we introduce support in the build system for protocol .xml files, and also makedep changes to gracefully handle the case these external sources are missing when the driver is disabled. These changes are introduced on their own in the first commit in the series, but we can squash it with the next commit, where the functionality is first used, if preferred. To be able to provide a consistent view of the display settings across all processes, this MR adds a shared memory region containing an authoritative version of the Wayland output information (see the "winewayland.drv: Implement GetCurrentDisplaySettings." commit for more details). **Important note:** This MR requires the wayland-protocols package in the CI docker image. Without it the Wayland driver build will be disabled, so any build results are not going to be representative of the Wayland driver code changes in this branch. Thanks! -- https://gitlab.winehq.org/wine/wine/-/merge_requests/2476

5 12

[PATCH v2 0/1] MR2481: wldap32: Handle null DN or null message in ldap_delete* and add tests.
by Alex Henrie (＠alexhenrie) 23 Mar '23

23 Mar '23

On Windows, ldap_delete_(ext_)s returns LDAP_UNWILLING_TO_PERFORM when trying to delete an entry that cannot be deleted. On Unix, LDAP_SERVER_DOWN is returned instead. Unix also returns LDAP_SERVER_DOWN immediately from ldap_delete_ext if the entry cannot be deleted, whereas Windows queues an asynchronous operation and returns LDAP_SUCCESS. Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=54702 -- v2: wldap32: Handle null DN or null message in ldap_delete* and add tests. https://gitlab.winehq.org/wine/wine/-/merge_requests/2481

3 5

[PATCH v2 0/6] MR2456: widl: Improve error messages source location.
by Rémi Bernon (＠rbernon) 23 Mar '23

23 Mar '23

-- v2: widl: Print the import stack and context in messages. widl: Improve accuracy of error messages location. widl: Enable bison locations option. widl: Move diagnostic and location functions to parser.l. widl: Allow source location to span over multiple lines. widl: Rename (error|warning)_loc_info to (error|warning)_at. https://gitlab.winehq.org/wine/wine/-/merge_requests/2456

3 8

[PATCH v2 0/5] MR2483: kernelbase: Add full support for shared Software\Classes keys.
by Sven Baars (＠sbaars) 23 Mar '23

23 Mar '23

I initially wanted to do the refactoring in a separate merge request, but since my merge request yesterday broke the tests, I decided to add the implementation into this commit as well. -- v2: kernelbase: Recursively obtain the Wow6432Node parent. kernelbase: Add support for shared registry keys. https://gitlab.winehq.org/wine/wine/-/merge_requests/2483

3 6

[PATCH v3 0/5] MR2483: kernelbase: Add full support for shared Software\Classes keys.
by Sven Baars (＠sbaars) 23 Mar '23

23 Mar '23

I initially wanted to do the refactoring in a separate merge request, but since my merge request yesterday broke the tests, I decided to add the implementation into this commit as well. -- v3: kernelbase: Recursively obtain the Wow6432Node parent. kernelbase: Add support for shared registry keys. https://gitlab.winehq.org/wine/wine/-/merge_requests/2483

2 6

[PATCH v2 0/11] MR2484: wineps: Initial work on writing ps data in print processor
by Piotr Caban (＠piotr) 23 Mar '23

23 Mar '23

-- v2: wineps: Handle EMR_LINETO record in spool files. wineps: Handle EMR_MOVETOEX record in spool files. wineps: Handle EMR_RECTANGLE record in spool files. wineps: Handle pen selection in spool files. wineps: Handle brush selection in spool files. wineps: Handle EMR_EOF record in spool files. wineps: Handle EMR_HEADER record in spool files. wineps: Write document header and footer in PrintDocumentOnPrintProcessor. https://gitlab.winehq.org/wine/wine/-/merge_requests/2484

3 13

[PATCH 0/11] MR2484: wineps: Initial work on writing ps data in print processor
by Piotr Caban (＠piotr) 23 Mar '23

23 Mar '23

-- https://gitlab.winehq.org/wine/wine/-/merge_requests/2484

2 12

[PATCH v4 0/3] MR1895: Fixes for NtOpenFile of read-only files with FILE_WRITE_ATTRIBUTES
by Joel Holdsworth (＠jhol) 23 Mar '23

23 Mar '23

Previously, the Wine implementation of `NtOpenFile` would fail to open read-only files for `FILE_WRITE_ATTRIBUTES` access in wine-server, because it would attempt to open the file with `O_RDWR` or `O_WRONLY` access. This patch-set adds test cases to highlight the issue, and solves it by only opening the file with write access where necessary. * Wine Bug: [#50771](https://bugs.winehq.org/show_bug.cgi?id=50771) * Related Wine-Staging Patches: * [0002-server-Allow-to-open-files-without-any-permission-bi.patch](https://gi… * [0006-ntdll-tests-Added-tests-for-open-behaviour-on-readon.patch](https://gi… * [0007-server-FILE_WRITE_ATTRIBUTES-should-succeed-for-read.patch](https://gi… -- v4: server: Allow to open read-only files with FILE_WRITE_ATTRIBUTES server: Open code FILE_UNIX_{READ,WRITE}_ACCESS ntdll/tests: Added tests for attributes access on read-only files. https://gitlab.winehq.org/wine/wine/-/merge_requests/1895

2 3

Re: [PATCH v10 0/1] MR2183: winecfg: Add an option to set WinRT app dark theme.
by Alexandre Julliard (＠julliard) 23 Mar '23

23 Mar '23

> How's this? > > Thanks for the review! :smiley: Actually thinking some more about this, a simple check mark may be better than a drop-down. It's not like there would be other possible options. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/2183#note_27620

1 0

2025

2024

2023

2022

wine-gitlab March 2023