Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 576134 - app-emulation/wine: Insecure use of temp files with predictable names
Summary: app-emulation/wine: Insecure use of temp files with predictable names
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [upstream]
Depends on:
Reported: 2016-03-01 17:31 UTC by Agostino Sarubbo
Modified: 2020-02-27 13:28 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-03-01 17:31:35 UTC
From ${URL} :

It was reported that wine uses /tmp/.wine-$UID as a directory for sockets and lock files. Malicious 
local user could create /tmp/.wine-$UID for another user's uid, preventing the other user from 
using wine. Moreover, the server_connect() function doesn't check if /tmp/.wine-$UID or its 
subdirectories are symlinks, so in some circumstances it might be possible to trick wine to connect 
to an unrelated socket.

Debian bug report:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Adam Feldman gentoo-dev 2016-03-02 01:01:50 UTC
Upstream has a bug that raised the point a while ago, no action.  Bringing it back to their attention noting that at least 3 distros have marked it as a security bug.  Will keep an eye on upstream.
Adding upstream URL.