Slashdot Mirror

← Back to Stories (view on slashdot.org)

WINE Still Vulnerable to WMF Exploit

Posted by Zonk on from the patch-up-young-linux-users dept.

blast3r wrote to mention a ZDNet Blog posting by George Ou, stating that WINE is still vulnerable to the WMF flaw. From the article: "All applications launched inside Wine, Cedega, or Cross-Over Office are technically still exploitable. Wine runs on most x86 platforms, including Linux and the various BSDs. The surprising part about finding this flaw in Wine is that they implemented the entire Meta File API without realizing that this could be a security issue. Exploiting a Windows application running inside Wine depends on that application calling the vulnerable function with malicious data."

3 of 240 comments (clear)

  1. Re:Make a copy? by cnettel · · Score: 5, Informative

    No, the Win32 version is (mostly) just calling down to the Win32K.sys file in the kernel. This isn't present in WINE. There are also other issues, but this single fact is the killer that makes it totally impossible to work. (aside from licensing issues :-)

  2. Cedega is not affected by this exploit by gavriels · · Score: 5, Informative

    Cedega is not affected by this exploit, as we don't support any META_ESCAPE commands in WMF playback at all.

    And Marcus Messier's fix for WineHQ was checked in earlier today. 8-)

      -Gav

  3. IT'S FIXED IN THE CVS by Krach42 · · Score: 5, Informative
    Revision 1.12 / (download) - [select for diffs], Fri Jan 6 20:52:46 2006 UTC (111 minutes, 55 seconds ago) by julliard
    Branch: MAIN
    CVS Tags: HEAD
    Changes since 1.11: +7 -0 lines
    Diff to previous 1.11 (colored)

    Marcus Meissner
    gdi: Filter GETSCALINGFACTOR and SETABORTDOC proc in metafile
    Escapes.


    Which changed wine/dlls/gdi/metafile.c from:
    case META_ESCAPE:
            Escape(hdc, mr->rdParm[0], mr->rdParm[1], (LPCSTR)&mr->rdParm[2], NULL);
            break;
    To:
    case META_ESCAPE:
            switch (mr->rdParm[0]) {
            case GETSCALINGFACTOR: /* get function ... would just NULL dereference */
                return FALSE;
            case SETABORTPROC:
                FIXME("Filtering Escape(SETABORTPROC), possible virus?\n");
                return FALSE;
            }
            Escape(hdc, mr->rdParm[0], mr->rdParm[1], (LPCSTR)&mr->rdParm[2], NULL);
            break;
    This is first day response.
    --

    I am unamerican, and proud of it!