Summary: | <app-emulation/qemu-2.4.1-r2[virtfs]: Local Privilege Escalation due to filesystem caps/setuid access with /usr/bin/virtfs-proxy-helper (CVE-2015-8556) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | qemu+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Kristian Fiskerstrand (RETIRED)
2015-12-14 12:54:06 UTC
2nd URL should be http://seclists.org/oss-sec/2015/q4/483 Maintainers, please advise when ready to stabilize Was assigned CVE-2015-8556 here: http://seclists.org/oss-sec/2015/q4/497 (In reply to Kristian Fiskerstrand from comment #1) > 2nd URL should be http://seclists.org/oss-sec/2015/q4/483 > > Maintainers, please advise when ready to stabilize You guys did the bump. Maintainers weren't involved. I'd say you guys go with the stabilization. (In reply to Doug Goldstein from comment #3) except Jason didn't actually update all the ebuilds, just did a revbump for the ones that had stable versions. so all the others remain vulnerable including the latest ~arch. i'm also not sure why the commit message is filled with the PoC. if you want verbose data, link to the bug report/upstream URL, don't fill the log with data that's going to be dead in a month. fixed with 2.4.1-r2. fine for stable. http://gitweb.gentoo.org/repo/gentoo.git/commit/?id=75d0202d68b81bc06d451b574670d8374751789f i've also cleaned the logic from all the ebuilds in the tree: http://gitweb.gentoo.org/repo/gentoo.git/commit/?id=359bcd793b5d0507b496cfb4125eaea0c0137de5 amd64/x86 stable Maintainer please cleanup cleanup done by vapier Arches and Maintainer(s), Thank you for your work. Added to an existing GLSA Request. This issue was resolved and addressed in GLSA 201602-01 at https://security.gentoo.org/glsa/201602-01 by GLSA coordinator Kristian Fiskerstrand (K_F). |