As it was noted in <https://github.com/WinFF/winff/issues/242>, WinFF
changes permissions of ~/.winff/*.sh files to 0777, which is
world-writable!

Assuming default permissions of the home directory and the .winff
subdir, this can be exploited by local users to execute arbitrary code
with the context of the user running WinFF.

I've attached a proof-of-concept exploit. (It's not 100% reliable.)

I've also attached an untested patch.

Thanks for the patch.
Applied upstream.

We believe that the bug you reported is fixed in the latest version of
winff, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1061586@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Peter Blackman <peter@pblackman.plus.com> (supplier of updated winff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 19 Feb 2024 13:00:00 +0000
Source: winff
Built-For-Profiles: noudeb
Architecture: source
Version: 1.6.3+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Pascal Packaging Team <pkg-pascal-devel@lists.alioth.debian.org>
Changed-By: Peter Blackman <peter@pblackman.plus.com>
Closes: 1053373 1061586
Changes:
 winff (1.6.3+dfsg-1) unstable; urgency=medium
 .
   * New Upstream release (Closes: #1053373) (Closes: #1061586)
   * Drop patch adopted upstream
   * Update copyright date
Checksums-Sha1:
 d55265c3de46b30ee868b3cf9ca6ef3583488913 2242 winff_1.6.3+dfsg-1.dsc
 96844a0e3cdc6ec1789d7455974eb9dbb00fb826 2687816 winff_1.6.3+dfsg.orig.tar.xz
 649c90126b561265b6d5ec59332ad3a4e6bb7bd9 83080 winff_1.6.3+dfsg-1.debian.tar.xz
 136c7f2e07fd1aacf3e9d9f7dd7f482e4efce5f9 14274 winff_1.6.3+dfsg-1_source.buildinfo
Checksums-Sha256:
 3d1e1b6bcdedf1c4ab8a480714de0f7ab92cf376121151db04b71ca8876465b0 2242 winff_1.6.3+dfsg-1.dsc
 786e410b8ef24138700d64d250233738bf2a0b8809a0f20c2efe0f628dd43ae1 2687816 winff_1.6.3+dfsg.orig.tar.xz
 3bac0a7627d979b684375e974a9468440f324ff47868e1bdec149c951dfd6e67 83080 winff_1.6.3+dfsg-1.debian.tar.xz
 3e60ca7441351a1910ba99f681b68d0287af217446b9a421399e35a8200a4abf 14274 winff_1.6.3+dfsg-1_source.buildinfo
Files:
 050235e0ca913e7c18b3716d4286ef09 2242 video optional winff_1.6.3+dfsg-1.dsc
 6867fb322626d5df2067d8bc5ae8fa19 2687816 video optional winff_1.6.3+dfsg.orig.tar.xz
 4b9f0f15fa7f4c0ad9c8506eeb1ea0ff 83080 video optional winff_1.6.3+dfsg-1.debian.tar.xz
 a807a6885643cf0d3bcbb612069394e2 14274 video optional winff_1.6.3+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEkpeKbhleSSGCX3/w808JdE6fXdkFAmXbDpEACgkQ808JdE6f
XdmpCQ/+Od00cEalnyCxN+E5OpUn4EB0gnxQcUQsHMpJVhphMds4EEzxK/vecC48
REOVolyD+LwbEkWniRDeW2E0LCDdYbi7SuUX79Vr3aaequHt0O6l71Ii4KMglgyV
rNRTOwckMQ2esMFOhsiWcmfPPyBKJoJoWLr9PDkskX+iEYVmyqJ91tdL5cflHc+Q
kaIY1TEkPZ4xWU1UCEisNni6booOMxha7HGFfbtJh6TEchLEhW/gztHxlNvJNJeR
HYLcbvq2calb54IV91Ix0bx/VVZS0kavk3zPD46En77sZNgGU+TavKgce+tGml4K
6tp8T7NX18/sPgJ73iRn9Qw0wiH/uiUo1XfCtPBbGLXsO57AmoEayDYqyd8FYcyG
/+zmytcbqJZKNSXw+0exzc0B0OS5xibMNEwLdWCQoJqBMJtYwUOT1Jr2qaFNEGfT
V1NCmO1iqDoZWXeLPx8Hp0SwTA5jSNys7k106urgJz0sz9gZVTIF8LYSRY1W9qXs
QxiZ/z6PUWhByiejMdy2NAd/mHK2tyV1u7pWnT6wm7xRoipxvOJhtcw/jWYNJpSE
pUrtOqkBP7vHGvYQE/1hMiQkEjKOwqU9ikxIXnMu8cy4qWo9NF5eR7K406GaAvg/
Qp6H2KyMAxNbqIH1bUexmEcC9/zN+O2NK1O5v3/z/y9E7SRQgqc=
=iDJk
-----END PGP SIGNATURE-----