Re: [Qemu-devel] [oss-security] QEMU 2.3.0 tmp vulns CVE request

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [oss-security] QEMU 2.3.0 tmp vulns CVE request

From:	Michael Tokarev
Subject:	Re: [Qemu-devel] [oss-security] QEMU 2.3.0 tmp vulns CVE request
Date:	Sat, 16 May 2015 11:45:27 +0300
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.6.0

[Adding Cc address@hidden

13.05.2015 19:23, Kurt Seifried wrote:
> So some suspicious looking tmp usage in qemu (I excluded the test
> scripts and builds scripts, they were rife with problems so hopefully
> people only build in trusted environments).
> 
> Additionally there will no doubt be further QEMU issues found in the
> next few days/weeks as people start looking, I would ask that this be
> handled publicly unless it's Remote Code Exec or equivalent (e.g.
> CVE-2015-3456).
> 
> 
> 
> ====================================================================
> http://wiki.qemu-project.org/download/qemu-2.3.0.tar.bz2
> 
> ====================================================================
> ./roms/u-boot/tools/patman/series.py:
> ./roms/u-boot/lib/lzma/import_lzmasdk.sh

This is part of u-boot source maintained externally but included
in qemu sources tarball.  It is not used directly even for building
qemu, used only by relevant maintainers when they update files in
pc-bios/ which are produced from this set of sources.  If the bug
is to be assigned, it should be filed against u-boot not qemu.

> ====================================================================
> ./roms/ipxe/src/util/niclist.pl:

The same thing, it is ipxe source, not used by qemu in any way.

> ====================================================================
> 
> ./net/slirp.c:
>     snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d",
>              (long)getpid(), instance++);

This one is real, used for -smb argument, to start smbd, making
its configuration.  Maybe tmpnam() should be used here.

> ====================================================================
> ./tcg/tcg.c:
> #ifdef DEBUG_JIT
>     /* Enable this block to be able to debug the ELF image file creation.
>        One can use readelf, objdump, or other inspection utilities.  */
>     {
>         FILE *f = fopen("/tmp/qemu.jit", "w+b");
>         if (f) {
>             if (fwrite(img, img_size, 1, f) != img_size) {
>                 /* Avoid stupid unused return value warning for fwrite.  */
>             }
>             fclose(f);
>         }
>     }
> #endif

This is solely for debugging by JIT maintainers.  Not useful for or
used by users.


>From all the above, only net/slirp.c issue might be of interest.

Thanks,

/mjt

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Qemu-devel] [oss-security] QEMU 2.3.0 tmp vulns CVE request, Michael Tokarev <=
- Re: [Qemu-devel] [oss-security] QEMU 2.3.0 tmp vulns CVE request, Jakub Wilk, 2015/05/16

Prev by Date: Re: [Qemu-devel] [PATCH 02/17] ipmi: Add a PC ISA type structure
Next by Date: Re: [Qemu-devel] [PATCH] macio: Convert to realize()
Previous by thread: [Qemu-devel] [PATCH 0/2] Use bool for QBool
Next by thread: Re: [Qemu-devel] [oss-security] QEMU 2.3.0 tmp vulns CVE request
Index(es):
- Date
- Thread