oss-sec mailing list archives
Re: QEMU 2.3.0 tmp vulns CVE request
From: cve-assign () mitre org
Date: Sat, 23 May 2015 11:43:40 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
So some suspicious looking tmp usage in qemu ...
Additionally there will no doubt be further QEMU issues found in the next few days/weeks as people start looking ...
We do not know of any further discussion of this, so it seems best to assign a CVE ID only for the net/slirp.c issue in the slirp_smb function:
snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d", (long)getpid(), instance++); if (mkdir(s->smb_dir, 0700) < 0) { error_report("could not create samba server dir '%s'", s->smb_dir); return -1;
The simplest attack would be a DoS in which someone creates /tmp/qemu-smb.*-* files to prevent the legitimate creation of s->smb_dir (mkdir will not follow a symlink). Use CVE-2015-4037. Michael Tokarev commented on most of the other issues. For /tmp/pci.ids in niclist.pl (apparently maintained at https://git.ipxe.org/ipxe.git/blob/HEAD:/src/util/niclist.pl), the question is whether there's a requirement for a script of this type to be within the scope of CVE. As far as we can tell, niclist.pl is not executed in any default or configurable use of the product, and the documentation doesn't mention executing it. Of course, some people do execute it (it is sometimes mentioned in the product's forum such as on the http://forum.ipxe.org/printthread.php?tid=6813 page). If someone needs a CVE mapping to track the use of /tmp/pci.ids, please specify what vulnerabilities exist. For example, if niclist.pl runs "wget -O /tmp/pci.ids" and this follows a symlink from /tmp/pci.ids, is this best considered a vulnerability in iPXE rather than a vulnerability in wget? If /tmp/pci.ids is a plain file owned by someone else, and isn't overwritten by niclist.pl, then is there an XSS issue in format_nic_list_html? - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVYJ+cAAoJEKllVAevmvmsvcMIAMP1KWPYdFTbDYN+CJfxmVWR MUwwcLyV43n59bmihGKIG+K+kD+4SNEegRbph9NEtN/XJ8DjDPzdMrcIx6rIkwDR +tgUewL6Er2+KPFUSLNozne9GDTqaQJDsD4FZsLmX/m+30Wd9DP2PCWwHWatKb9M NerlWH03BFBKqV22bAA3EA2aBuCHt+QJODQrMvGt9m/DYVk/XFn21k6SE0qWiwlY G+U06txLjxQ/KENG4Nro/6geYPZJMGUlFbLwcX87YVen9gRrEIcTlzdJjRRNz9DS jXH1IdGhxVVya/CPNTS224/y7J2nKvfVpSe3GQM3eFUQFahkFFzb9GVDc2ZEAXI= =LNB0 -----END PGP SIGNATURE-----
Current thread:
- QEMU 2.3.0 tmp vulns CVE request Kurt Seifried (May 13)
- Re: QEMU 2.3.0 tmp vulns CVE request Michael Tokarev (May 16)
- Re: QEMU 2.3.0 tmp vulns CVE request Jakub Wilk (May 16)
- Re: QEMU 2.3.0 tmp vulns CVE request cve-assign (May 23)
- Re: QEMU 2.3.0 tmp vulns CVE request Michael Tokarev (May 16)