Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 780816 (CVE-2020-35517)

Summary: <app-emulation/qemu-6.0.0: virtiofsd: potential privileged host device access from guest (CVE-2020-35517)
Product: Gentoo Security Reporter: Jannik Glückert <jannik.glueckert>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: ajak, sam, tamiko, virtualization, zlogene
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 792624    
Bug Blocks:    

Description Jannik Glückert 2021-04-07 12:08:28 UTC
Upstream patch:

A flaw was found in qemu. A host privilege escalation issue was found in the virtio-fs shared file system daemon where a privileged guest user is able to create a device special file in the shared directory and use it to r/w access host devices.

This is fixed in to be released qemu-6.0

The patch seems to be slightly malformed, lines 38 and 39 should be:

@@ -684,8 +707,7 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
 int valid, struct fuse_file_info *fi)

with that it applies and builds fine
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:23:14 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:31:33 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:39:31 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:47:41 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 18:03:37 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:11:55 UTC
Package list is empty or all packages have requested keywords.
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 04:42:25 UTC
GLSA request filed
Comment 8 Larry the Git Cow gentoo-dev 2022-08-14 16:10:04 UTC
The bug has been referenced in the following commit(s):

commit fd3b0a54cba850267bd5f7ed0ac9f66f91aa44ac
Author:     GLSAMaker <>
AuthorDate: 2022-08-14 16:09:07 +0000
Commit:     Sam James <>
CommitDate: 2022-08-14 16:09:43 +0000

    [ GLSA 202208-27 ] QEMU: Multiple Vulnerabilities
    Signed-off-by: GLSAMaker <>
    Signed-off-by: Sam James <>

 glsa-202208-27.xml | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 85 insertions(+)
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 16:11:46 UTC
GLSA done, all done.