https://gitlab.com/qemu-project/qemu/-/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5 """ From 10fad73a2bf1c76c8aa9d6322755e5f877d83ce5 Mon Sep 17 00:00:00 2001 From: Christian Schoenebeck <qemu_oss@crudebyte.com> Date: Wed, 7 Jun 2023 18:29:33 +0200 Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861) The 9p protocol does not specifically define how server shall behave when client tries to open a special file, however from security POV it does make sense for 9p server to prohibit opening any special file on host side in general. A sane Linux 9p client for instance would never attempt to open a special file on host side, it would always handle those exclusively on its guest side. A malicious client however could potentially escape from the exported 9p tree by creating and opening a device file on host side. With QEMU this could only be exploited in the following unsafe setups: - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough' security model. or - Using 9p 'proxy' fs driver (which is running its helper daemon as root). These setups were already discouraged for safety reasons before, however for obvious reasons we are now tightening behaviour on this. Fixes: CVE-2023-2861 Reported-by: Yanwu Shen <ywsPlz@gmail.com> Reported-by: Jietao Xiao <shawtao1125@gmail.com> Reported-by: Jinku Li <jkli@xidian.edu.cn> Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn> Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com> Reviewed-by: Greg Kurz <groug@kaod.org> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com> (cherry picked from commit f6b0de53fb87ddefed348a39284c8e2f28dc4eda) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> (Mjt: drop adding qemu_fstat wrapper for 7.2 where wrappers aren't used) --- """
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d2d08ad4d9a70136bf79818eb698e3cb7eead3b0 commit d2d08ad4d9a70136bf79818eb698e3cb7eead3b0 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-07-02 23:00:41 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-07-02 23:00:43 +0000 app-emulation/qemu: fix CVE-2023-2861 for 8.0.2 Bug: https://bugs.gentoo.org/909542 Signed-off-by: Sam James <sam@gentoo.org> .../qemu/files/qemu-8.0.2-CVE-2023-2861.patch | 162 ++++ app-emulation/qemu/qemu-8.0.2-r1.ebuild | 964 +++++++++++++++++++++ 2 files changed, 1126 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dde094e8f986b73ffdcb3f71226aac92e415408a commit dde094e8f986b73ffdcb3f71226aac92e415408a Author: Sam James <sam@gentoo.org> AuthorDate: 2023-07-02 22:58:04 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-07-02 22:58:04 +0000 app-emulation/qemu: fix CVE-2023-2861 for 7.2.3 Bug: https://bugs.gentoo.org/909542 Signed-off-by: Sam James <sam@gentoo.org> .../qemu/files/qemu-7.2.3-CVE-2023-2861.patch | 162 ++++ app-emulation/qemu/qemu-7.2.3-r1.ebuild | 973 +++++++++++++++++++++ 2 files changed, 1135 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=229d28a525799ae2f65b1a2cd206b07189241026 commit 229d28a525799ae2f65b1a2cd206b07189241026 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-07-02 23:34:19 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-07-02 23:34:42 +0000 app-emulation/qemu: use right CVE-2023-2861 patch for 8.0.2 Fixes: d2d08ad4d9a70136bf79818eb698e3cb7eead3b0 Bug: https://bugs.gentoo.org/909542 Signed-off-by: Sam James <sam@gentoo.org> .../qemu/files/qemu-8.0.2-CVE-2023-2861.patch | 23 +++++++++++++--------- .../{qemu-8.0.2-r1.ebuild => qemu-8.0.2-r2.ebuild} | 0 2 files changed, 14 insertions(+), 9 deletions(-)
Ping. Please clean up vulnerable versions 7.2.0-r3 and 7.2.3.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=50ad24c08d86326adcff296e6beb26107e0ab028 commit 50ad24c08d86326adcff296e6beb26107e0ab028 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2023-10-30 02:57:34 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-10-30 02:58:26 +0000 app-emulation/qemu: drop 7.2.0-r3, 7.2.3 Bug: https://bugs.gentoo.org/909542 Bug: https://bugs.gentoo.org/865112 Signed-off-by: John Helmert III <ajak@gentoo.org> app-emulation/qemu/Manifest | 2 - app-emulation/qemu/qemu-7.2.0-r3.ebuild | 973 -------------------------------- app-emulation/qemu/qemu-7.2.3.ebuild | 972 ------------------------------- 3 files changed, 1947 deletions(-)
Not much to do here anymore.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=1baff7cf9283037d49a3b562d771e3cf77039bfa commit 1baff7cf9283037d49a3b562d771e3cf77039bfa Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-08-09 09:49:28 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-08-09 09:49:35 +0000 [ GLSA 202408-18 ] QEMU: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/857657 Bug: https://bugs.gentoo.org/865121 Bug: https://bugs.gentoo.org/883693 Bug: https://bugs.gentoo.org/909542 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202408-18.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+)