Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 14 Dec 2015 12:14:39 +0100
From: "Jason A. Donenfeld" <Jason@...c4.com>
To: oss-security <oss-security@...ts.openwall.com>
Cc: Gentoo Security <security@...too.org>
Subject: CVE Request: Local Privilege Escalation in QEMU virtfs-proxy-helper

Hi folks,

Some distros make qemu's virtfs-proxy-helper binary either SUID or
give it filesystem capabilities such as cap_chown. This is completely
insane for a wide variety of reasons; there are quite a few ways of
abusing this to elevate privileges.

This commit fixes the issue in Gentoo:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=183dd7394703b49c7af441a9c4227b4b91453510

The commit message contains a TOCTOU PoC.

Can we get a CVE for this blunder?

Other distributions - you might want to double check that you're not
making a similar mistake.

I have no idea if QEMU upstream recommends suid/fscaps in some
documentation, or something similar, in which case that'll need to be
changed.

Thanks,
Jason

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ