Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 221943 (CVE-2008-2004) - app-emulation/qemu-softmmu < 0.9.1-r3 "drive_init()" security bypass (CVE-2008-2004)
Summary: app-emulation/qemu-softmmu < 0.9.1-r3 "drive_init()" security bypass (CVE-200...
Status: RESOLVED OBSOLETE
Alias: CVE-2008-2004
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/30111/
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks: 212351
  Show dependency tree
 
Reported: 2008-05-13 13:23 UTC by Celso Fernandes (icezimm)
Modified: 2013-08-28 01:58 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
patch for qemu-softmmu-0.9.1 bug CVE-2008-2004 #221943 (qemu-softmmu-0.9.1-CVE-2008-2004.patch,1.96 KB, patch)
2008-05-13 14:05 UTC, Celso Fernandes (icezimm)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Celso Fernandes (icezimm) 2008-05-13 13:23:45 UTC
QEMU could allow a local attacker to bypass security restrictions caused by an error in the drive_init function. By writing a header to a raw formatted disk image that specifies another image format, an attacker on a guest instance could exploit this vulnerability to read arbitrary files on the host.

Reproducible: Always

Steps to Reproduce:
Affects QEMU 0.9.1
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-13 14:01:40 UTC
Thanks for the report, but please let us rate the severity of the bug ;-)

lu_zero: patch can be found at:
http://svn.savannah.gnu.org/viewvc/?view=rev&root=qemu&revision=4277

please bump as necessary.
Comment 2 Celso Fernandes (icezimm) 2008-05-13 14:05:13 UTC
Created attachment 153053 [details, diff]
patch for qemu-softmmu-0.9.1 bug CVE-2008-2004 #221943
Comment 3 Celso Fernandes (icezimm) 2008-05-13 14:09:15 UTC
(In reply to comment #2)
> Created an attachment (id=153053) [edit]
> patch for qemu-softmmu-0.9.1 bug CVE-2008-2004 #221943
> 

don't know if this is the right procedure to propose a patch, so I posted the patch last comment (forgot to add these lines, shame on me hehehehe)

so here they are, tested the patch here, and it's working.
 
--- qemu-softmmu-0.9.1-r2.ebuild        2008-05-13 11:06:47.000000000 -0300
+++ qemu-softmmu-0.9.1-r3.ebuild        2008-05-13 11:02:47.000000000 -0300
@@ -46,6 +46,7 @@

        cd "${S}"
        epatch "${FILESDIR}/${P}-CVE-2008-0928.patch" #212351
+       epatch "${FILESDIR}/${P}-CVE-2008-2004.patch" #221943
        # Alter target makefiles to accept CFLAGS set via flag-o.
        sed -i 's/^\(C\|OP_C\|HELPER_C\)FLAGS=/\1FLAGS+=/' \
                Makefile Makefile.target tests/Makefile
Comment 4 Luca Barbato gentoo-dev 2008-05-14 14:50:22 UTC
Committed
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-05-14 18:36:17 UTC
Reopening it for possible stable marking and GLSA decision (No CVS access atm so I can't check wether it was committed directly to stable).
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-05-14 19:24:39 UTC
Celso: both linking the patch in the repository, or attaching it to the bug are fine. There's no need to give the diff to the ebuild though, as the additional epatch line is trivial. Thanks for your report!
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-05-14 19:25:39 UTC
I don't see the commit in the tree yet, so still [ebuild].
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-05-14 19:37:22 UTC
Sorry, my bad.

Arches, please test and mark stable:
=app-emulation/qemu-softmmu-0.9.1-r3
Target keywords : "amd64 ppc release x86"
Already stabled : "x86"
Missing keywords: "amd64 ppc release"
Comment 9 Markus Meier gentoo-dev 2008-05-14 20:25:58 UTC
amd64 stable
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2008-05-29 08:37:28 UTC
this one is already stable for ppc
Comment 11 Peter Volkov (RETIRED) gentoo-dev 2008-05-30 07:44:42 UTC
Fixed in release snapshot. This bug is finally is GLSA vote ready ;)
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-06-01 18:19:01 UTC
(In reply to comment #11)
> Fixed in release snapshot. This bug is finally is GLSA vote ready ;)
> 

Thanks Peter for the reminder ;)
I vote NO.
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-06-16 22:53:41 UTC
I think we could GLSA this bug together with bug 212351. By itself, I would vote no.
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-08-05 15:13:24 UTC
OK with bug 212351
Comment 15 Matt Drew (RETIRED) gentoo-dev 2008-09-08 16:58:20 UTC
I vote yes, with bug 212351.
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-18 21:55:14 UTC
(In reply to comment #13)
> I think we could GLSA this bug together with bug 212351. By itself, I would
> vote no.

(In reply to comment #14)
> OK with bug 212351
> 

(In reply to comment #15)
> I vote yes, with bug 212351.

Request was already filed with... bug 212351 :)
Comment 17 Doug Goldstein (RETIRED) gentoo-dev 2012-03-08 16:28:09 UTC
Removed from tree.
Comment 18 Doug Goldstein (RETIRED) gentoo-dev 2012-10-20 16:49:02 UTC
(In reply to comment #17)
> Removed from tree.

Still removed from the tree. Hint: You can close.
Comment 19 Celso Fernandes (icezimm) 2012-10-20 18:18:20 UTC
package removed from the tree ;)
Comment 20 Sean Amoss (RETIRED) gentoo-dev Security 2012-10-20 21:03:18 UTC
(In reply to comment #18)
> (In reply to comment #17)
> > Removed from tree.
> 
> Still removed from the tree. Hint: You can close.

Hint: read the vulnerability policy and stop spamming the security team. Sending us bugspam that these bugs can be closed does not release a GLSA any faster.

(In reply to comment #19)
> package removed from the tree ;)

Read the comment at the bottom of this bug that says do not close the bug. Only the security team does that after a GLSA is released.
Comment 21 Doug Goldstein (RETIRED) gentoo-dev 2013-08-28 01:27:11 UTC
(In reply to Sean Amoss from comment #20)
> (In reply to comment #18)
> > (In reply to comment #17)
> > > Removed from tree.
> > 
> > Still removed from the tree. Hint: You can close.
> 
> Hint: read the vulnerability policy and stop spamming the security team.
> Sending us bugspam that these bugs can be closed does not release a GLSA any
> faster.

Not sure if a bug ignored for 5 years falls under any criteria. That being said, ping.
Comment 22 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-28 01:58:20 UTC
5 year old bug, package gone from tree -> byebye.