CVE-2019-13164 Qemu: qemu-bridge-helper ACL bypassed with long interface names

[P J P <ppandit () redhat com>]

  Hello,

It was discovered that the Access Control List (ACL) implemented by 
qemu-bridge-helper program could be bypassed in particular case when the 
bridge interface names are as long as IFNAMSIZ-1, ie 15 characters. If the ACL 
specified in the /etc/qemu/bridge.conf file denies access to a bridge 
interface with name IFNAMSIZ-1 bytes long, but it allows all other interfaces. 
It is possible for a local attacker to use qemu-bridge-helper to create a tap 
device and attach it to a denied bridge interface, thus bypassing the ACL. 
This could be used by the attacker to get access to confidential data 
transmitted on the bridge.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg00245.html

This issue was discovered by Riccardo Schirone of Red Hat Inc.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F