Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 235219 (CVE-2008-1945) - =app-emulation/qemu-softmmu-0.9.0 "removable media" Host file disclosure (CVE-2008-1945)
Summary: =app-emulation/qemu-softmmu-0.9.0 "removable media" Host file disclosure (CVE...
Status: RESOLVED OBSOLETE
Alias: CVE-2008-1945
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [ebuild / upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-08-19 20:07 UTC by Robert Buchholz (RETIRED)
Modified: 2013-08-28 01:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
qemu-CVE-2008-1945.patch (qemu-CVE-2008-1945.patch,1.98 KB, patch)
2008-08-19 20:24 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
qemu-0.9.0-mdv,svn-CVE-2008-1945.patch (qemu-0.9.0-mdv,svn-CVE-2008-1945.patch,4.31 KB, patch)
2008-08-19 20:26 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-08-19 20:07:24 UTC
CVE-2008-1945 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1945):
  QEMU 0.9.0 does not properly handle changes to removable media, which allows
  guest OS users to read arbitrary files on the host OS by using the
  diskformat: parameter in the -usbdevice option to modify the disk-image
  header to identify a different format, a related issue to CVE-2008-2004.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-08-19 20:24:16 UTC
Created attachment 163325 [details, diff]
qemu-CVE-2008-1945.patch

Patch as applied upstream in r4747
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-08-19 20:26:16 UTC
Created attachment 163327 [details, diff]
qemu-0.9.0-mdv,svn-CVE-2008-1945.patch

Patch as applied by Mandriva
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-08-19 20:27:27 UTC
I asked spuk of Mandriva why the patch was not fully applied upstream:

<spuk-> rbu: don't know why it wasn't fully applied upstream, last words from the patch author (Chris Wright) after some discussion on the patch were that that patch was fine, and I didn't see a drawback on using it, as it seemed "more complete", even though the "extra completeness" might not be very important (maybe that's why it wasn't applied?)
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-08-19 20:35:19 UTC
Chris Wright's original comment on the patch (as used by Mandriva):

Subject: [PATCH] add image format options for USB storage and removable media

Previous commit didn't handle removable media or USB (thanks to Markus
for noting this).  This patch adds a cmdline option for USB to allow
admin to specify format type.  To avoid changing exists semantics a new
option -usbdevice diskformat: is added (ugly name). This is valid from
both command line and monitor interface.  Because of the comma delimiter,
admin must use ',,' just as in -drive file=filename.

The patch also allows specifying image format when changing removable
media.  It is an optional argument to the monitor command "change,"
so there is no change to existing semantics.

Longer term it'd be better to provide some safe defaults.
Comment 5 Doug Goldstein gentoo-dev 2013-08-28 01:18:54 UTC
@security: ~5 year ping. package is no longer in the tree. The bug doesn't make a note of this but it affected xen 3.0 as well.
Comment 6 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-28 01:49:49 UTC
5 year old bug, package gone -> byebye.