oss-sec mailing list archives
CVE Request: Local Privilege Escalation in QEMU virtfs-proxy-helper
From: "Jason A. Donenfeld" <Jason () zx2c4 com>
Date: Mon, 14 Dec 2015 12:14:39 +0100
Hi folks, Some distros make qemu's virtfs-proxy-helper binary either SUID or give it filesystem capabilities such as cap_chown. This is completely insane for a wide variety of reasons; there are quite a few ways of abusing this to elevate privileges. This commit fixes the issue in Gentoo: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=183dd7394703b49c7af441a9c4227b4b91453510 The commit message contains a TOCTOU PoC. Can we get a CVE for this blunder? Other distributions - you might want to double check that you're not making a similar mistake. I have no idea if QEMU upstream recommends suid/fscaps in some documentation, or something similar, in which case that'll need to be changed. Thanks, Jason
Current thread:
- CVE Request: Local Privilege Escalation in QEMU virtfs-proxy-helper Jason A. Donenfeld (Dec 14)
- <Possible follow-ups>
- CVE Request: Local Privilege Escalation in QEMU virtfs-proxy-helper Jason A. Donenfeld (Dec 14)
- Re: CVE Request: Local Privilege Escalation in QEMU virtfs-proxy-helper cve-assign (Dec 14)