http://bugzilla.opensuse.org/show_bug.cgi?id=1051248 Bug ID: 1051248 Summary: VUL-0: PlayOnLinux: privacy issues Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: ecsos@schirra.net Reporter: astieger@suse.com QA Contact: security-team@suse.de CC: astieger@suse.com, ecsos@schirra.net, simon.herrmann@posteo.ch, stefan@fam-elser.de Found By: Security Response Team Blocker: --- +++ This bug was initially created as a clone of Bug #1051224 +++ In PlayOnLinux ./bash/run_app: # Unique anonymous id (autorisation to edit the review) if [ ! -e "$POL_USER_ROOT/configurations/reports/$PACKAGE" ]; then UniqId="$(perl -e 'print int(rand(10000000000000000))')" else UniqId="$(cat "$POL_USER_ROOT/configurations/reports/$PACKAGE")" fi # Wine version Prefix="$(POL_Shortcut_GetPrefix "$PACKAGE")" Version="$(POL_Config_PrefixRead VERSION "$Prefix")" PArch="$(POL_Config_PrefixRead ARCH "$Prefix")" [ "$PArch" = "x86" ] && archty="0" || archty="1" # AMD64 [ "$AMD64_COMPATIBLE" = "True" ] && amd64_set="1" || amd64_set="0" if [ "$ScriptName" ]; then # Device Infos - Could also directly use POL_DetectVideoCards for full list POL_LoadVar_Device --non-interactive Info="$(printf "$VendorID~$DeviceID~$currentOS~$ScriptName~$amd64_set~$OpenGL32~$OpenGL64~$Version~$ExitCode~$DISTRO~$vms~$UniqId~$archty~$PACKAGE~$VERSION~$delta" | POL_base64)" POL_Website_GET "http://www.playonlinux.com/api/s.php?data=$(POL_Website_urlencode "$Info")" echo "$UniqId" > "$POL_USER_ROOT/configurations/reports/$PACKAGE" fi This uploads a user-identifying ID with all hardware information in PLAIN to a third party. This should be HTTPS at least, NOT use a unique ID unless the user is informed, and be default off anyway. -- You are receiving this mail because: You are on the CC list for the bug.