[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 14 Dec 2015 12:13:21 +0100
From: "Jason A. Donenfeld" <Jason@...c4.com>
To: oss-security <oss-security@...ts.openwall.com>
Cc: Gentoo Security <security@...too.org>
Subject: CVE Request: Local Privilege Escalation in QEMU virtfs-proxy-helper
Hi folks,
Some distros make qemu's virtfs-proxy-helper binary either SUID or
give it filesystem capabilities such as cap_chown. This is completely
insane for a wide variety of reasons; there are quite a few ways of
abusing this to elevate privileges.
This commit fixes the issue in Gentoo:
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=183dd7394703b49c7af441a9c4227b4b91453510The
commit message contains a TOCTOU PoC.
Can we get a CVE for this blunder?
Other distributions - you might want to double check that you're not
making a similar mistake.
I have no idea if QEMU upstream recommends suid/fscaps in some
documentation, or something similar, in which case that'll need to be
changed.
Thanks,
Jason
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
