oss-sec mailing list archives
CVE-2019-13164 Qemu: qemu-bridge-helper ACL bypassed with long interface names
From: P J P <ppandit () redhat com>
Date: Wed, 3 Jul 2019 01:01:36 +0530 (IST)
Hello,It was discovered that the Access Control List (ACL) implemented by qemu-bridge-helper program could be bypassed in particular case when the bridge interface names are as long as IFNAMSIZ-1, ie 15 characters. If the ACL specified in the /etc/qemu/bridge.conf file denies access to a bridge interface with name IFNAMSIZ-1 bytes long, but it allows all other interfaces. It is possible for a local attacker to use qemu-bridge-helper to create a tap device and attach it to a denied bridge interface, thus bypassing the ACL. This could be used by the attacker to get access to confidential data transmitted on the bridge.
Upstream patch: --------------- -> https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg00245.html This issue was discovered by Riccardo Schirone of Red Hat Inc. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
Current thread:
- CVE-2019-13164 Qemu: qemu-bridge-helper ACL bypassed with long interface names P J P (Jul 02)