Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAHmME9r6jQX-Zwaub6J=C2WavsFiGMR0GR19aWppUZkYztcYfw@mail.gmail.com>
Date: Mon, 14 Dec 2015 12:13:21 +0100
From: "Jason A. Donenfeld" <Jason@...c4.com>
To: oss-security <oss-security@...ts.openwall.com>
Cc: Gentoo Security <security@...too.org>
Subject: CVE Request: Local Privilege Escalation in QEMU virtfs-proxy-helper

Hi folks,

Some distros make qemu's virtfs-proxy-helper binary either SUID or
give it filesystem capabilities such as cap_chown. This is completely
insane for a wide variety of reasons; there are quite a few ways of
abusing this to elevate privileges.

This commit fixes the issue in Gentoo:
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=183dd7394703b49c7af441a9c4227b4b91453510The
commit message contains a TOCTOU PoC.

Can we get a CVE for this blunder?

Other distributions - you might want to double check that you're not
making a similar mistake.

I have no idea if QEMU upstream recommends suid/fscaps in some
documentation, or something similar, in which case that'll need to be
changed.

Thanks,
Jason

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.