Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 23 May 2015 11:43:40 -0400 (EDT)
Subject: Re: QEMU 2.3.0 tmp vulns CVE request

Hash: SHA1

> So some suspicious looking tmp usage in qemu ...

> Additionally there will no doubt be further QEMU issues found in the
> next few days/weeks as people start looking ...

We do not know of any further discussion of this, so it seems
best to assign a CVE ID only for the net/slirp.c issue in
the slirp_smb function:

>     snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d",
>              (long)getpid(), instance++);
>     if (mkdir(s->smb_dir, 0700) < 0) {
>         error_report("could not create samba server dir '%s'", s->smb_dir);
>         return -1;

The simplest attack would be a DoS in which someone creates
/tmp/qemu-smb.*-* files to prevent the legitimate creation of
s->smb_dir (mkdir will not follow a symlink).

Use CVE-2015-4037.

Michael Tokarev commented on most of the other issues. For
/tmp/pci.ids in (apparently maintained at, the
question is whether there's a requirement for a script of this type to
be within the scope of CVE. As far as we can tell, is not
executed in any default or configurable use of the product, and the
documentation doesn't mention executing it. Of course, some people do
execute it (it is sometimes mentioned in the product's forum such as
on the page). If
someone needs a CVE mapping to track the use of /tmp/pci.ids, please
specify what vulnerabilities exist. For example, if runs
"wget -O /tmp/pci.ids" and this follows a symlink from /tmp/pci.ids,
is this best considered a vulnerability in iPXE rather than a
vulnerability in wget? If /tmp/pci.ids is a plain file owned by
someone else, and isn't overwritten by, then is there an
XSS issue in format_nic_list_html?

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.