Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 16 May 2015 11:45:27 +0300
From: Michael Tokarev <mjt@....msk.ru>
To: oss-security@...ts.openwall.com
CC: qemu-devel <qemu-devel@...gnu.org>
Subject: Re: QEMU 2.3.0 tmp vulns CVE request

[Adding Cc qemu-devel@]

13.05.2015 19:23, Kurt Seifried wrote:
> So some suspicious looking tmp usage in qemu (I excluded the test
> scripts and builds scripts, they were rife with problems so hopefully
> people only build in trusted environments).
> 
> Additionally there will no doubt be further QEMU issues found in the
> next few days/weeks as people start looking, I would ask that this be
> handled publicly unless it's Remote Code Exec or equivalent (e.g.
> CVE-2015-3456).
> 
> 
> 
> ====================================================================
> http://wiki.qemu-project.org/download/qemu-2.3.0.tar.bz2
> 
> ====================================================================
> ./roms/u-boot/tools/patman/series.py:
> ./roms/u-boot/lib/lzma/import_lzmasdk.sh

This is part of u-boot source maintained externally but included
in qemu sources tarball.  It is not used directly even for building
qemu, used only by relevant maintainers when they update files in
pc-bios/ which are produced from this set of sources.  If the bug
is to be assigned, it should be filed against u-boot not qemu.

> ====================================================================
> ./roms/ipxe/src/util/niclist.pl:

The same thing, it is ipxe source, not used by qemu in any way.

> ====================================================================
> 
> ./net/slirp.c:
>     snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d",
>              (long)getpid(), instance++);

This one is real, used for -smb argument, to start smbd, making
its configuration.  Maybe tmpnam() should be used here.

> ====================================================================
> ./tcg/tcg.c:
> #ifdef DEBUG_JIT
>     /* Enable this block to be able to debug the ELF image file creation.
>        One can use readelf, objdump, or other inspection utilities.  */
>     {
>         FILE *f = fopen("/tmp/qemu.jit", "w+b");
>         if (f) {
>             if (fwrite(img, img_size, 1, f) != img_size) {
>                 /* Avoid stupid unused return value warning for fwrite.  */
>             }
>             fclose(f);
>         }
>     }
> #endif

This is solely for debugging by JIT maintainers.  Not useful for or
used by users.


>From all the above, only net/slirp.c issue might be of interest.

Thanks,

/mjt

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ