oss-sec mailing list archives
QEMU 2.3.0 tmp vulns CVE request
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 13 May 2015 10:23:57 -0600
So some suspicious looking tmp usage in qemu (I excluded the test scripts and builds scripts, they were rife with problems so hopefully people only build in trusted environments). Additionally there will no doubt be further QEMU issues found in the next few days/weeks as people start looking, I would ask that this be handled publicly unless it's Remote Code Exec or equivalent (e.g. CVE-2015-3456). ==================================================================== http://wiki.qemu-project.org/download/qemu-2.3.0.tar.bz2 ==================================================================== ./roms/u-boot/tools/patman/series.py: def MakeCcFile(self, process_tags, cover_fname, raise_on_error): """Make a cc file for us to use for per-commit Cc automation Also stores in self._generated_cc to make ShowActions() faster. Args: process_tags: Process tags as if they were aliases cover_fname: If non-None the name of the cover letter. raise_on_error: True to raise an error when an alias fails to match, False to just print a message. Return: Filename of temp file created """ # Look for commit tags (of the form 'xxx:' at the start of the subject) fname = '/tmp/patman.%d' % os.getpid() fd = open(fname, 'w') all_ccs = [] for commit in self.commits: list = [] if process_tags: list += gitutil.BuildEmailList(commit.tags, raise_on_error=raise_on_error) list += gitutil.BuildEmailList(commit.cc_list, raise_on_error=raise_on_error) list += get_maintainer.GetMaintainer(commit.patch) all_ccs += list print >>fd, commit.patch, ', '.join(list) self._generated_cc[commit.patch] = list if cover_fname: cover_cc = gitutil.BuildEmailList(self.get('cover_cc', '')) print >>fd, cover_fname, ', '.join(set(cover_cc + all_ccs)) fd.close() return fname ==================================================================== ./roms/u-boot/lib/lzma/import_lzmasdk.sh #!/bin/sh usage() { echo "Usage: $0 lzmaVERSION.tar.bz2" >&2 echo >&2 exit 1 } if [ "$1" = "" ] ; then usage fi if [ ! -f $1 ] ; then echo "$1 doesn't exist!" >&2 exit 1 fi BASENAME=`basename $1 .tar.bz2` TMPDIR=/tmp/tmp_lib_$BASENAME FILES="C/LzmaDec.h C/Types.h C/LzmaDec.c history.txt lzma.txt" mkdir -p $TMPDIR echo "Untar $1 -> $TMPDIR" tar -jxf $1 -C $TMPDIR for i in $FILES; do echo Copying $TMPDIR/$i \-\> `basename $i` cp $TMPDIR/$i . chmod -x `basename $i` done echo "done!" ==================================================================== ./roms/ipxe/src/util/niclist.pl: 'pci-file=s' => \( my $pci_file = '/tmp/pci.ids' ), # Download pci.ids file and parse it fetch_pci_ids_file($pci_url, $pci_file); my $pci_id_map = build_pci_id_map($pci_file); ==================================================================== ./net/slirp.c: snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d", (long)getpid(), instance++); ==================================================================== ./tcg/tcg.c: #ifdef DEBUG_JIT /* Enable this block to be able to debug the ELF image file creation. One can use readelf, objdump, or other inspection utilities. */ { FILE *f = fopen("/tmp/qemu.jit", "w+b"); if (f) { if (fwrite(img, img_size, 1, f) != img_size) { /* Avoid stupid unused return value warning for fwrite. */ } fclose(f); } } #endif ==================================================================== -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- QEMU 2.3.0 tmp vulns CVE request Kurt Seifried (May 13)
- Re: QEMU 2.3.0 tmp vulns CVE request Michael Tokarev (May 16)
- Re: QEMU 2.3.0 tmp vulns CVE request Jakub Wilk (May 16)
- Re: QEMU 2.3.0 tmp vulns CVE request cve-assign (May 23)
- Re: QEMU 2.3.0 tmp vulns CVE request Michael Tokarev (May 16)