Summary: | <app-emulation/qemu-2.8.0-r9: 9p: virtfs allows guest to access host filesystem | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | qemu+disabled |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1413929 | ||
Whiteboard: | B1 [glsa cve] | ||
Package list: |
app-emulation/qemu-2.8.0-r9
|
Runtime testing required: | --- |
Bug Depends on: | |||
Bug Blocks: | 612220 |
Description
Agostino Sarubbo
2017-01-17 13:31:51 UTC
In order to fix this security issue, we will probably have to wait for upstream to release a new version containing this absolutely non-trivial patch set. [1] https://lists.gnu.org/archive/html/qemu-devel/2017-01/msg06225.html Update: The patches are still not approved by upstream… Project zero derestricted their tracker bug (with POC) [1]. [1] https://bugs.chromium.org/p/project-zero/issues/detail?id=1035&can=6&q= Finally... commit 938d91b3e98a08d43a692155db159f63437c2995 Author: Matthias Maier <tamiko@gentoo.org> Date: Mon Mar 27 06:53:54 2017 -0500 app-emulation/qemu: Apply upstream patches for CVE-2016-9602, bug #606088 Package-Manager: Portage-2.3.3, Repoman-2.3.2 Arches, please test and mark stable =app-emulation/qemu-2.8.0-r9 Target-keywords: "amd64 x86" Added to an existing GLSA Request. Since we are writing up a GLSA for QEMU, adding this to the current one, and will release it when stabilization is complete. amd64 stable x86 stable. Maintainer(s), please cleanup. commit 8e6a5f44a3119c14be5245fec2e4ee2528c573bc Author: Matthias Maier <tamiko@gentoo.org> Date: Sat Apr 1 21:25:20 2017 -0500 app-emulation/qemu: drop vulnerable, bug #606088 Package-Manager: Portage-2.3.3, Repoman-2.3.2 This issue was resolved and addressed in GLSA 201704-01 at https://security.gentoo.org/glsa/201704-01 by GLSA coordinator Kristian Fiskerstrand (K_F). |