CVE-2008-1945 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1945): QEMU 0.9.0 does not properly handle changes to removable media, which allows guest OS users to read arbitrary files on the host OS by using the diskformat: parameter in the -usbdevice option to modify the disk-image header to identify a different format, a related issue to CVE-2008-2004.
Created attachment 163325 [details, diff] qemu-CVE-2008-1945.patch Patch as applied upstream in r4747
Created attachment 163327 [details, diff] qemu-0.9.0-mdv,svn-CVE-2008-1945.patch Patch as applied by Mandriva
I asked spuk of Mandriva why the patch was not fully applied upstream: <spuk-> rbu: don't know why it wasn't fully applied upstream, last words from the patch author (Chris Wright) after some discussion on the patch were that that patch was fine, and I didn't see a drawback on using it, as it seemed "more complete", even though the "extra completeness" might not be very important (maybe that's why it wasn't applied?)
Chris Wright's original comment on the patch (as used by Mandriva): Subject: [PATCH] add image format options for USB storage and removable media Previous commit didn't handle removable media or USB (thanks to Markus for noting this). This patch adds a cmdline option for USB to allow admin to specify format type. To avoid changing exists semantics a new option -usbdevice diskformat: is added (ugly name). This is valid from both command line and monitor interface. Because of the comma delimiter, admin must use ',,' just as in -drive file=filename. The patch also allows specifying image format when changing removable media. It is an optional argument to the monitor command "change," so there is no change to existing semantics. Longer term it'd be better to provide some safe defaults.
@security: ~5 year ping. package is no longer in the tree. The bug doesn't make a note of this but it affected xen 3.0 as well.
5 year old bug, package gone -> byebye.