--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: wine: Buffer overflow in fixes/temporary-directory.patch
- From: Yuri Konotopov <ykonotopov@gnome.org>
- Date: Tue, 06 Oct 2020 15:37:17 +0000
- Message-id: <160199863765.3278.10728280567893864139.reportbug@8e3be55a423c>
Package: wine
Version: 5.0-4
Severity: important
Hello.
Recently we hit a buffer overflow in wine_5.0-4.
There is was a mkdir error while creating "/run/$UID! /wine" dir
when running winecfg. The error was produced by wineserver32.
Take a look to strange "! " part after $UID - this looks like missing
\0 symbol in C char*.
Our $UIDs are produced by sssd which is joined to Active Directory domain.
$UID length is 10 chars.
I looked to "fixes/temporary-directory.patch" and found wrong usage of sizeof().
Patch attached for "debian/5.0-4" tag (bullseye branch).
It's also available at salsa [1] however MRs are disabled for wine-team/wine
project so I was unable to submit it.
[1] https://salsa.debian.org/nE0sIghT-guest/wine/-/commit/7867f27a582b3665844efcadc8003253ddebff9d
>From 7867f27a582b3665844efcadc8003253ddebff9d Mon Sep 17 00:00:00 2001
From: Yuri Konotopov <ykonotopov@gnome.org>
Date: Mon, 5 Oct 2020 21:47:00 +0400
Subject: [PATCH] Fix buffer overflow in fixes/temporary-directory.patch
Signed-off-by: Yuri Konotopov <ykonotopov@gnome.org>
---
.../patches/fixes/temporary-directory.patch | 22 +++++++++++--------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/debian/patches/fixes/temporary-directory.patch b/debian/patches/fixes/temporary-directory.patch
index 358ae18709..d7a48b3d5f 100644
--- a/debian/patches/fixes/temporary-directory.patch
+++ b/debian/patches/fixes/temporary-directory.patch
@@ -4,8 +4,10 @@ bug-debian: https://bugs.debian.org/903622
bug-debian: https://bugs.debian.org/904041
bug-upstream: https://bugs.winehq.org/show_bug.cgi?id=39013
---- a/libs/wine/config.c
-+++ b/libs/wine/config.c
+Index: wine/libs/wine/config.c
+===================================================================
+--- wine.orig/libs/wine/config.c
++++ wine/libs/wine/config.c
@@ -25,6 +25,7 @@
#include <stdarg.h>
#include <stdlib.h>
@@ -63,8 +65,8 @@ bug-upstream: https://bugs.winehq.org/show_bug.cgi?id=39013
+ }
+ else
+ {
-+ const char *tmp_default = "/tmp";
-+ tmp_dir = xmalloc( sizeof(tmp_default) + 1 );
++ const char tmp_default[] = "/tmp";
++ tmp_dir = xmalloc( sizeof(tmp_default) );
+ strcpy( tmp_dir, tmp_default );
+ }
+
@@ -138,8 +140,10 @@ bug-upstream: https://bugs.winehq.org/show_bug.cgi?id=39013
server_dir = xmalloc( strlen(root) + sizeof(server_dir_prefix) + 2*sizeof(dev) + 2*sizeof(ino) + 2 );
strcpy( server_dir, root );
---- a/server/request.c
-+++ b/server/request.c
+Index: wine/server/request.c
+===================================================================
+--- wine.orig/server/request.c
++++ wine/server/request.c
@@ -21,6 +21,7 @@
#include "config.h"
#include "wine/port.h"
@@ -166,7 +170,7 @@ bug-upstream: https://bugs.winehq.org/show_bug.cgi?id=39013
/* create the server directory and chdir to it */
static char *create_server_dir( int force )
{
-+ const char *server_root_prefix = "/run/user";
++ const char server_root_prefix[] = "/run/user";
const char *prefix = getenv( "WINEPREFIX" );
- char *p, *config_dir;
+ char *p, *config_dir, *run_dir;
@@ -181,13 +185,13 @@ bug-upstream: https://bugs.winehq.org/show_bug.cgi?id=39013
- if (!(server_dir = malloc( len ))) fatal_error( "out of memory\n" );
- sprintf( server_dir, "/tmp/.wine-%u", getuid() );
+ /* use /run/user/$uid as wineserver's tmpdir by default */
-+ if (!(run_dir = malloc( sizeof(server_root_prefix) + 12 )))
++ if (!(run_dir = malloc( sizeof(server_root_prefix) + 13 )))
+ fatal_error( "out of memory\n" );
+ sprintf( run_dir, "%s/%u", server_root_prefix, getuid() );
+
+ if (opendir( run_dir )) /* use /run as the temporary directory */
+ {
-+ len += sizeof(server_root_prefix) + 17;
++ len += strlen(run_dir) + 6;
+ if (!(server_dir = malloc( len )))
+ fatal_error( "out of memory\n" );
+ sprintf( server_dir, "%s/wine", run_dir );
--
GitLab
--- End Message ---
--- Begin Message ---
Source: wine
Source-Version: 5.0.3-1
Done: Michael Gilbert <mgilbert@debian.org>
We believe that the bug you reported is fixed in the latest version of
wine, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 971759@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated wine package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 Jan 2021 21:42:51 +0000
Source: wine
Architecture: source
Version: 5.0.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Wine Party <debian-wine@lists.debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Closes: 957936 971759
Changes:
wine (5.0.3-1) unstable; urgency=medium
.
* New upstream release 5.0.3, released Nov 10, 2020.
- Fix compilation with gcc 10 (closes: #957936).
* Fix incorrect uses of sizeof (closes: #971759).
- Thanks to Yuri Konotopov.
Checksums-Sha1:
58361f2b2c0659a46453181ad5abc4a7326b16d9 4649 wine_5.0.3-1.dsc
9ea451a3f6530af8ca51ee54116e53d71dce5052 20661660 wine_5.0.3.orig.tar.xz
cf4de79fedabba520c8e1fa7a67b6a665962fd17 214408 wine_5.0.3-1.debian.tar.xz
a212c57b896b9897ded4107a4c5677be00993520 19860 wine_5.0.3-1_source.buildinfo
Checksums-Sha256:
92fcc8bda4eea8b5fd6b04c5e43b191d46cae8c02128e8f13229e3f01ddb0179 4649 wine_5.0.3-1.dsc
f35cd2c9ac8bc0a2ac52408349a397aa53976deacea2f5bd6f2826449653b0ee 20661660 wine_5.0.3.orig.tar.xz
4a3c9259bb37b0cc3f396c8f7de3118619091af4eee9b430f4df565d2156339e 214408 wine_5.0.3-1.debian.tar.xz
9fa6ed95ae734fb458a064eeb16629f30bd8b0be07212c0b248b875e00ddacd7 19860 wine_5.0.3-1_source.buildinfo
Files:
8f0e5c09aa16c5373998092c381ff849 4649 otherosfs optional wine_5.0.3-1.dsc
65b6231f6800f54bc15ad4d6e1fa8a18 20661660 otherosfs optional wine_5.0.3.orig.tar.xz
cafc8ffe10416828f13918abdb363b8a 214408 otherosfs optional wine_5.0.3-1.debian.tar.xz
bf213476311b2eee17ee0a09b180efd8 19860 otherosfs optional wine_5.0.3-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQQzBAEBCgAdFiEEIwTlZiOEpzUxIyp4mD40ZYkUaygFAl/7r6QACgkQmD40ZYkU
ayjZhiAAlL1PGAAKcI+3zylwyF7elr429rkYioLtR9j/J/SmqAm9MQvD89X+a1rt
Oz99TLuEzS1pTSGZzNzef4V0OG22gt1IV0Ec/efmi1JfcUwULuEr+0/EKzwDmJDT
plBRJHTBdAm1m6D3nHiG+psabqhnKtoglIh1kiLDffQRSwxqbSJtI1f+2cQaj3z1
jpDLMzgXF9Tag0NZJtuvLPX7RvKvz6UKzqLv6TqCrmEa+sKxJ+x+mN5YTwyS5MCi
js9iFk8j5dUktWhqm198AZttIzFdgTfbLHLjqlKHRsyOEZXZgUoEuqEzx3Ptgahb
e2Fp3QcBAtUt1rcAKDxHL6XKkbKt+Yd6YainTLlvM20X4iymYKX1DxAiI7P3MzNU
WwTQnAPKoxVJNjJJMF2Fi0gpGGe++fyVCov/8gB4MY0riXj2U1ziF2Q6iPk3pXq3
OP0R/Gfj2xA/Jiaf5KJIuc/sa3VWBQpHUrO8gPZATv2+sPRZK/s6nL/eREJbcXwU
ctt2stPK7/IKfMCjgA8tUYZgkJapKa3f/e/EZBHGljt9NHcAeBjgDf/GfYWoMu9m
ovzfAV19ErOjnchFhZQPNagI5c0B2pK1DZc5hVWunqhNM+l72T8RLdN8icsR6Ryg
Y2/o2YnHEo83SQNTEJiOl2pMGcnSc82N05M6Rj8PrZA7yFQFmHC7dfhtzq9rc41m
8QzvcAmi1W30OrKpnC9E7Hfj2nMwqpPPw2tynKWpK1bsh7jml+ChT4PP9lKgbX/m
N0YX1420xg0Ja4xNXJEZ7RUkxpXJYvgixMbMojRCn3mQgdK/KHityVDaxT6BdlLs
APnIEL5l1bwBMgonUKoRBgNLrxZc8tmAfTDT52INunVp7ABeeELQAlI8Bq4aUqKl
iBFUpRaErS6BH+XzipGsdCRCsmIE5j5r4G7bfld2q+9pOCH95oxnCVCDFgM7QsFA
YB60GA1ydNj4lvFM9/0yeHD8I/KTMKWdk1tH37pnp50WSg3FNHMJBhc02ykfpm+K
zueO5m7+wIhp4VDRAaXHsG2E36jIQCbOsWSUgLrnqvC0oDvTV44EDGUq7IC1jMwc
BAZy6J4inColD4F9/RMOOzzVxa5o5qgRBP602X2x2Mv615SpuW4KLfunoNyT+70T
AjLd0dIZdYyox2LqfystnC65GGNEHjqRFH8bZrf9a7Q0u71jErTzCLvnNxQkTkId
mI+lg6tKcHknq64jZQIeobQHy7IBsLfsQvhmWBIqGtQTc8w9ueb+r5NTxvWxsn57
U9dVykBW5lW0Uj2Ps0wolazAA9sFzD07efyAs+pOpFmAPfR1RVhblQOl9GmaDg8g
W88msxJGdYY6D9i00vE14PW/mrJg+g==
=2eHs
-----END PGP SIGNATURE-----
--- End Message ---