Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 12 Jul 2011 20:48:59 +0400
From: Michael Tokarev <mjt@....msk.ru>
To: oss-security@...ts.openwall.com
Subject: CVE Request: qemu -runas does not clear supplementary groups

There's a missing initgroups() call in qemu in the -runas
argument handling.  Details are available on

 https://bugs.launchpad.net/qemu/+bug/807893

in short, -runas is supposed to reduce privileges to a
bare minimum (after all initialization is completed),
but the process still has all the supplementary groups
which should be dropped too.

Can a CVE id be assigned for this issue?

Thanks,

/mjt

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.