Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 606088 (CVE-2016-9602) - <app-emulation/qemu-2.8.0-r9: 9p: virtfs allows guest to access host filesystem
Summary: <app-emulation/qemu-2.8.0-r9: 9p: virtfs allows guest to access host filesystem
Status: RESOLVED FIXED
Alias: CVE-2016-9602
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B1 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2017-6505
  Show dependency tree
 
Reported: 2017-01-17 13:31 UTC by Agostino Sarubbo
Modified: 2017-04-10 21:26 UTC (History)
1 user (show)

See Also:
Package list:
app-emulation/qemu-2.8.0-r9
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-01-17 13:31:51 UTC
From ${URL} :

Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9
File System(9pfs) support, is vulnerable to an improper link following issue.
It could occur while accessing symbolic link files on a shared host directory.

A privileged user inside guest could use this flaw to access host file system
beyond the shared folder and potentially escalating their privileges on a host.

Upstream patches:
-----------------
  ->

Reference:
----------
  -> http://wiki.qemu.org/Documentation/9psetup


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Matthias Maier gentoo-dev 2017-02-13 04:51:36 UTC
In order to fix this security issue, we will probably have to wait for upstream to release a new version containing this absolutely non-trivial patch set.


[1] https://lists.gnu.org/archive/html/qemu-devel/2017-01/msg06225.html
Comment 2 Matthias Maier gentoo-dev 2017-02-28 23:40:40 UTC
Update: The patches are still not approved by upstream…

Project zero derestricted their tracker bug (with POC) [1].

[1] https://bugs.chromium.org/p/project-zero/issues/detail?id=1035&can=6&q=
Comment 3 Matthias Maier gentoo-dev 2017-03-27 12:06:47 UTC
Finally...

commit 938d91b3e98a08d43a692155db159f63437c2995
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Mon Mar 27 06:53:54 2017 -0500

    app-emulation/qemu: Apply upstream patches for CVE-2016-9602, bug #606088
    
    Package-Manager: Portage-2.3.3, Repoman-2.3.2
Comment 4 Matthias Maier gentoo-dev 2017-03-27 12:17:44 UTC
Arches, please test and mark stable

 =app-emulation/qemu-2.8.0-r9

Target-keywords: "amd64 x86"
Comment 5 Yury German Gentoo Infrastructure gentoo-dev Security 2017-03-28 04:11:02 UTC
Added to an existing GLSA Request.
Since we are writing up a GLSA for QEMU, adding this to the current one, and will release it when stabilization is complete.
Comment 6 Agostino Sarubbo gentoo-dev 2017-03-28 09:57:06 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-04-01 16:07:10 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 8 Matthias Maier gentoo-dev 2017-04-02 02:28:17 UTC
commit 8e6a5f44a3119c14be5245fec2e4ee2528c573bc
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Sat Apr 1 21:25:20 2017 -0500

    app-emulation/qemu: drop vulnerable, bug #606088
    
    Package-Manager: Portage-2.3.3, Repoman-2.3.2
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2017-04-10 21:26:05 UTC
This issue was resolved and addressed in
 GLSA 201704-01 at https://security.gentoo.org/glsa/201704-01
by GLSA coordinator Kristian Fiskerstrand (K_F).