909542 – (CVE-2023-2861) <app-emulation/qemu-7.2.3-r1: Insufficient access control in 9pfs

Bug 909542 (CVE-2023-2861) - <app-emulation/qemu-7.2.3-r1: Insufficient access control in 9pfs

Summary: <app-emulation/qemu-7.2.3-r1: Insufficient access control in 9pfs

Status:	IN_PROGRESS

Alias:	CVE-2023-2861

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa?]
Keywords:

Depends on:
Blocks:

Reported:	2023-07-02 22:48 UTC by Sam James
Modified:	2024-04-27 14:07 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2023-07-02 22:48:19 UTC

https://gitlab.com/qemu-project/qemu/-/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5

"""
From 10fad73a2bf1c76c8aa9d6322755e5f877d83ce5 Mon Sep 17 00:00:00 2001
From: Christian Schoenebeck <qemu_oss@crudebyte.com>
Date: Wed, 7 Jun 2023 18:29:33 +0200
Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861)

The 9p protocol does not specifically define how server shall behave when
client tries to open a special file, however from security POV it does
make sense for 9p server to prohibit opening any special file on host side
in general. A sane Linux 9p client for instance would never attempt to
open a special file on host side, it would always handle those exclusively
on its guest side. A malicious client however could potentially escape
from the exported 9p tree by creating and opening a device file on host
side.

With QEMU this could only be exploited in the following unsafe setups:

  - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough'
    security model.

or

  - Using 9p 'proxy' fs driver (which is running its helper daemon as
    root).

These setups were already discouraged for safety reasons before,
however for obvious reasons we are now tightening behaviour on this.

Fixes: CVE-2023-2861
Reported-by: Yanwu Shen <ywsPlz@gmail.com>
Reported-by: Jietao Xiao <shawtao1125@gmail.com>
Reported-by: Jinku Li <jkli@xidian.edu.cn>
Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn>
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com>
(cherry picked from commit f6b0de53fb87ddefed348a39284c8e2f28dc4eda)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(Mjt: drop adding qemu_fstat wrapper for 7.2 where wrappers aren't used)
---
"""

Comment 1 Larry the Git Cow gentoo-dev

2023-07-02 23:01:25 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d2d08ad4d9a70136bf79818eb698e3cb7eead3b0

commit d2d08ad4d9a70136bf79818eb698e3cb7eead3b0
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-07-02 23:00:41 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-07-02 23:00:43 +0000

    app-emulation/qemu: fix CVE-2023-2861 for 8.0.2
    
    Bug: https://bugs.gentoo.org/909542
    Signed-off-by: Sam James <sam@gentoo.org>

 .../qemu/files/qemu-8.0.2-CVE-2023-2861.patch      | 162 ++++
 app-emulation/qemu/qemu-8.0.2-r1.ebuild            | 964 +++++++++++++++++++++
 2 files changed, 1126 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dde094e8f986b73ffdcb3f71226aac92e415408a

commit dde094e8f986b73ffdcb3f71226aac92e415408a
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-07-02 22:58:04 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-07-02 22:58:04 +0000

    app-emulation/qemu: fix CVE-2023-2861 for 7.2.3
    
    Bug: https://bugs.gentoo.org/909542
    Signed-off-by: Sam James <sam@gentoo.org>

 .../qemu/files/qemu-7.2.3-CVE-2023-2861.patch      | 162 ++++
 app-emulation/qemu/qemu-7.2.3-r1.ebuild            | 973 +++++++++++++++++++++
 2 files changed, 1135 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2023-07-02 23:35:37 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=229d28a525799ae2f65b1a2cd206b07189241026

commit 229d28a525799ae2f65b1a2cd206b07189241026
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-07-02 23:34:19 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-07-02 23:34:42 +0000

    app-emulation/qemu: use right CVE-2023-2861 patch for 8.0.2
    
    Fixes: d2d08ad4d9a70136bf79818eb698e3cb7eead3b0
    Bug: https://bugs.gentoo.org/909542
    Signed-off-by: Sam James <sam@gentoo.org>

 .../qemu/files/qemu-8.0.2-CVE-2023-2861.patch      | 23 +++++++++++++---------
 .../{qemu-8.0.2-r1.ebuild => qemu-8.0.2-r2.ebuild} |  0
 2 files changed, 14 insertions(+), 9 deletions(-)

Comment 3 Hans de Graaff gentoo-dev

2023-10-21 05:37:49 UTC

Ping. Please clean up vulnerable versions 7.2.0-r3 and 7.2.3.

Comment 4 Larry the Git Cow gentoo-dev

2023-10-30 02:58:36 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=50ad24c08d86326adcff296e6beb26107e0ab028

commit 50ad24c08d86326adcff296e6beb26107e0ab028
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2023-10-30 02:57:34 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-10-30 02:58:26 +0000

    app-emulation/qemu: drop 7.2.0-r3, 7.2.3
    
    Bug: https://bugs.gentoo.org/909542
    Bug: https://bugs.gentoo.org/865112
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 app-emulation/qemu/Manifest             |   2 -
 app-emulation/qemu/qemu-7.2.0-r3.ebuild | 973 --------------------------------
 app-emulation/qemu/qemu-7.2.3.ebuild    | 972 -------------------------------
 3 files changed, 1947 deletions(-)

Comment 5 Andreas K. Hüttel archtester

2024-04-27 14:07:39 UTC

Not much to do here anymore.