oss-sec mailing list archives

Re: On the issue of MIME handlers that execute arbitrary code (e.g. Wine)


From: Aaron Rainbolt <arraybolt3 () riseup net>
Date: Sun, 24 May 2026 21:36:21 -0400

On Mon, 18 May 2026 22:01:16 -0400
Aaron Rainbolt <arraybolt3 () riseup net> wrote:

... snip ...
 
If all applications followed the xdg-mime manpage's advice to never
execute code when opening a file, this wouldn't be that big of a
problem. This is where Wine comes in; it ships a desktop file that
registers Wine as a MIME handler for
'application/x-ms-dos-executable', 'application/x-msi', and
'application/x-bat'. [3] These handlers result in the command 'wine
start /unix FILE-NAME' being run, which of course loads the
executable code from the opened file into memory and starts running
it. That means, if you are unlucky enough to have an unsandboxed copy
of Wine as your only MIME handler for EXE files, any flatpak on your
system can break out of the sandbox by writing an EXE file somewhere,
then opening it with org.freedesktop.portal.OpenURI.OpenFile. This
issue has been reported to Wine a short while ago [4]; I didn't
report the issue privately since I couldn't find a security contact
for Wine and was encouraged to make a public bug report when I asked
for a security contact on IRC some time back. (I was also given an
email where I could privately contact someone, but I no longer have
it, and I was somewhat discouraged from using it when I initially
asked.) 

CVE-2026-48831 has been assigned for this. [1]

--
Aaron

[1] https://www.cve.org/CVERecord?id=CVE-2026-48831

Attachment: _bin
Description: OpenPGP digital signature


Current thread: