Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 780816 (CVE-2020-35517) - <app-emulation/qemu-6.0.0: virtiofsd: potential privileged host device access from guest (CVE-2020-35517)
Summary: <app-emulation/qemu-6.0.0: virtiofsd: potential privileged host device access...
Status: RESOLVED FIXED
Alias: CVE-2020-35517
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa+]
Keywords:
Depends on: CVE-2020-35504, CVE-2020-35505, CVE-2020-35506
Blocks:
  Show dependency tree
 
Reported: 2021-04-07 12:08 UTC by Jannik Glückert
Modified: 2022-08-14 16:11 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jannik Glückert 2021-04-07 12:08:28 UTC
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35517
Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg05461.html

A flaw was found in qemu. A host privilege escalation issue was found in the virtio-fs shared file system daemon where a privileged guest user is able to create a device special file in the shared directory and use it to r/w access host devices.

This is fixed in to be released qemu-6.0

The patch seems to be slightly malformed, lines 38 and 39 should be:

@@ -684,8 +707,7 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
 int valid, struct fuse_file_info *fi)

with that it applies and builds fine
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:23:14 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:31:33 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:39:31 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:47:41 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 18:03:37 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:11:55 UTC
Package list is empty or all packages have requested keywords.
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 04:42:25 UTC
GLSA request filed
Comment 8 Larry the Git Cow gentoo-dev 2022-08-14 16:10:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=fd3b0a54cba850267bd5f7ed0ac9f66f91aa44ac

commit fd3b0a54cba850267bd5f7ed0ac9f66f91aa44ac
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 16:09:07 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-14 16:09:43 +0000

    [ GLSA 202208-27 ] QEMU: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/733448
    Bug: https://bugs.gentoo.org/736605
    Bug: https://bugs.gentoo.org/773220
    Bug: https://bugs.gentoo.org/775713
    Bug: https://bugs.gentoo.org/780816
    Bug: https://bugs.gentoo.org/792624
    Bug: https://bugs.gentoo.org/807055
    Bug: https://bugs.gentoo.org/810544
    Bug: https://bugs.gentoo.org/820743
    Bug: https://bugs.gentoo.org/835607
    Bug: https://bugs.gentoo.org/839762
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202208-27.xml | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 85 insertions(+)
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 16:11:46 UTC
GLSA done, all done.