Mailinglist Archive: opensuse-bugs (4794 mails)

< Previous Next >
[Bug 1051248] New: VUL-0: PlayOnLinux: privacy issues
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Fri, 28 Jul 2017 15:11:22 +0000
  • Message-id: <bug-1051248-21960@http.bugzilla.opensuse.org/>
http://bugzilla.opensuse.org/show_bug.cgi?id=1051248


Bug ID: 1051248
Summary: VUL-0: PlayOnLinux: privacy issues
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 42.3
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
Assignee: ecsos@xxxxxxxxxxx
Reporter: astieger@xxxxxxxx
QA Contact: security-team@xxxxxxx
CC: astieger@xxxxxxxx, ecsos@xxxxxxxxxxx,
simon.herrmann@xxxxxxxxx, stefan@xxxxxxxxxxxx
Found By: Security Response Team
Blocker: ---

+++ This bug was initially created as a clone of Bug #1051224 +++

In PlayOnLinux ./bash/run_app:

# Unique anonymous id (autorisation to edit the review)
if [ ! -e "$POL_USER_ROOT/configurations/reports/$PACKAGE" ]; then
UniqId="$(perl -e 'print int(rand(10000000000000000))')"
else
UniqId="$(cat "$POL_USER_ROOT/configurations/reports/$PACKAGE")"
fi
# Wine version
Prefix="$(POL_Shortcut_GetPrefix "$PACKAGE")"
Version="$(POL_Config_PrefixRead VERSION "$Prefix")"
PArch="$(POL_Config_PrefixRead ARCH "$Prefix")"
[ "$PArch" = "x86" ] && archty="0" || archty="1"
# AMD64
[ "$AMD64_COMPATIBLE" = "True" ] && amd64_set="1" || amd64_set="0"

if [ "$ScriptName" ]; then
# Device Infos - Could also directly use POL_DetectVideoCards for full
list
POL_LoadVar_Device --non-interactive

Info="$(printf
"$VendorID~$DeviceID~$currentOS~$ScriptName~$amd64_set~$OpenGL32~$OpenGL64~$Version~$ExitCode~$DISTRO~$vms~$UniqId~$archty~$PACKAGE~$VERSION~$delta"
| POL_base64)"
POL_Website_GET
"http://www.playonlinux.com/api/s.php?data=$(POL_Website_urlencode "$Info")"
echo "$UniqId" > "$POL_USER_ROOT/configurations/reports/$PACKAGE"
fi



This uploads a user-identifying ID with all hardware information in PLAIN to a
third party.
This should be HTTPS at least, NOT use a unique ID unless the user is informed,
and be default off anyway.

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >
This Thread
  • No further messages