oss-sec mailing list archives
CVE Request: qemu -runas does not clear supplementary groups
From: Michael Tokarev <mjt () tls msk ru>
Date: Tue, 12 Jul 2011 20:48:59 +0400
There's a missing initgroups() call in qemu in the -runas argument handling. Details are available on https://bugs.launchpad.net/qemu/+bug/807893 in short, -runas is supposed to reduce privileges to a bare minimum (after all initialization is completed), but the process still has all the supplementary groups which should be dropped too. Can a CVE id be assigned for this issue? Thanks, /mjt
Current thread:
- CVE Request: qemu -runas does not clear supplementary groups Michael Tokarev (Jul 12)
- Re: CVE Request: qemu -runas does not clear supplementary groups Vincent Danen (Jul 12)