Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 427820 (CVE-2011-2527)

Summary: app-emulation/qemu-user: Fails to drop group privileges with -runas option (CVE-2011-2527)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED WONTFIX    
Severity: minor CC: lu_zero, qemu+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [ebuild]
Package list:
Runtime testing required: ---
Bug Depends on: 508098    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2012-07-23 23:08:28 UTC
CVE-2011-2527 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2527):
  The change_process_uid function in os-posix.c in Qemu 0.14.0 and earlier
  does not properly drop group privileges when the -runas option is used,
  which allows local guest users to access restricted files on the host.


Upstream bug report:
https://bugs.launchpad.net/qemu/+bug/807893
Comment 1 Doug Goldstein (RETIRED) gentoo-dev 2012-12-08 06:12:59 UTC
This affects current app-emulation/qemu-user ebuilds in the tree (but not app-emulation/qemu).
Comment 2 SpanKY gentoo-dev 2014-05-30 04:40:44 UTC
qemu-user has been removed from the tree as its functionality has been superseded by the combined app-emulation/qemu package.  if you find the qemu package does not support something that the qemu-user package did, please file a new bug explicitly detailing things so we can get it added.