CVE Request: Local Privilege Escalation in QEMU virtfs-proxy-helper

["Jason A. Donenfeld" <Jason () zx2c4 com>]

Hi folks,

Some distros make qemu's virtfs-proxy-helper binary either SUID or
give it filesystem capabilities such as cap_chown. This is completely
insane for a wide variety of reasons; there are quite a few ways of
abusing this to elevate privileges.

This commit fixes the issue in Gentoo:
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=183dd7394703b49c7af441a9c4227b4b91453510The
commit message contains a TOCTOU PoC.

Can we get a CVE for this blunder?

Other distributions - you might want to double check that you're not
making a similar mistake.

I have no idea if QEMU upstream recommends suid/fscaps in some
documentation, or something similar, in which case that'll need to be
changed.

Thanks,
Jason