[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 13 May 2015 10:23:57 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: QEMU 2.3.0 tmp vulns CVE request
So some suspicious looking tmp usage in qemu (I excluded the test
scripts and builds scripts, they were rife with problems so hopefully
people only build in trusted environments).
Additionally there will no doubt be further QEMU issues found in the
next few days/weeks as people start looking, I would ask that this be
handled publicly unless it's Remote Code Exec or equivalent (e.g.
CVE-2015-3456).
====================================================================
http://wiki.qemu-project.org/download/qemu-2.3.0.tar.bz2
====================================================================
./roms/u-boot/tools/patman/series.py:
def MakeCcFile(self, process_tags, cover_fname, raise_on_error):
"""Make a cc file for us to use for per-commit Cc automation
Also stores in self._generated_cc to make ShowActions() faster.
Args:
process_tags: Process tags as if they were aliases
cover_fname: If non-None the name of the cover letter.
raise_on_error: True to raise an error when an alias fails
to match,
False to just print a message.
Return:
Filename of temp file created
"""
# Look for commit tags (of the form 'xxx:' at the start of the
subject)
fname = '/tmp/patman.%d' % os.getpid()
fd = open(fname, 'w')
all_ccs = []
for commit in self.commits:
list = []
if process_tags:
list += gitutil.BuildEmailList(commit.tags,
raise_on_error=raise_on_error)
list += gitutil.BuildEmailList(commit.cc_list,
raise_on_error=raise_on_error)
list += get_maintainer.GetMaintainer(commit.patch)
all_ccs += list
print >>fd, commit.patch, ', '.join(list)
self._generated_cc[commit.patch] = list
if cover_fname:
cover_cc = gitutil.BuildEmailList(self.get('cover_cc', ''))
print >>fd, cover_fname, ', '.join(set(cover_cc + all_ccs))
fd.close()
return fname
====================================================================
./roms/u-boot/lib/lzma/import_lzmasdk.sh
#!/bin/sh
usage() {
echo "Usage: $0 lzmaVERSION.tar.bz2" >&2
echo >&2
exit 1
}
if [ "$1" = "" ] ; then
usage
fi
if [ ! -f $1 ] ; then
echo "$1 doesn't exist!" >&2
exit 1
fi
BASENAME=`basename $1 .tar.bz2`
TMPDIR=/tmp/tmp_lib_$BASENAME
FILES="C/LzmaDec.h
C/Types.h
C/LzmaDec.c
history.txt
lzma.txt"
mkdir -p $TMPDIR
echo "Untar $1 -> $TMPDIR"
tar -jxf $1 -C $TMPDIR
for i in $FILES; do
echo Copying $TMPDIR/$i \-\> `basename $i`
cp $TMPDIR/$i .
chmod -x `basename $i`
done
echo "done!"
====================================================================
./roms/ipxe/src/util/niclist.pl:
'pci-file=s' => \( my $pci_file = '/tmp/pci.ids' ),
# Download pci.ids file and parse it
fetch_pci_ids_file($pci_url, $pci_file);
my $pci_id_map = build_pci_id_map($pci_file);
====================================================================
./net/slirp.c:
snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d",
(long)getpid(), instance++);
====================================================================
./tcg/tcg.c:
#ifdef DEBUG_JIT
/* Enable this block to be able to debug the ELF image file creation.
One can use readelf, objdump, or other inspection utilities. */
{
FILE *f = fopen("/tmp/qemu.jit", "w+b");
if (f) {
if (fwrite(img, img_size, 1, f) != img_size) {
/* Avoid stupid unused return value warning for fwrite. */
}
fclose(f);
}
}
#endif
====================================================================
--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
