Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 427820 (CVE-2011-2527) - app-emulation/qemu-user: Fails to drop group privileges with -runas option (CVE-2011-2527)
Summary: app-emulation/qemu-user: Fails to drop group privileges with -runas option (C...
Alias: CVE-2011-2527
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [ebuild]
Depends on: 508098
  Show dependency tree
Reported: 2012-07-23 23:08 UTC by GLSAMaker/CVETool Bot
Modified: 2014-05-30 04:40 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2012-07-23 23:08:28 UTC
CVE-2011-2527 (
  The change_process_uid function in os-posix.c in Qemu 0.14.0 and earlier
  does not properly drop group privileges when the -runas option is used,
  which allows local guest users to access restricted files on the host.

Upstream bug report:
Comment 1 Doug Goldstein (RETIRED) gentoo-dev 2012-12-08 06:12:59 UTC
This affects current app-emulation/qemu-user ebuilds in the tree (but not app-emulation/qemu).
Comment 2 SpanKY gentoo-dev 2014-05-30 04:40:44 UTC
qemu-user has been removed from the tree as its functionality has been superseded by the combined app-emulation/qemu package.  if you find the qemu package does not support something that the qemu-user package did, please file a new bug explicitly detailing things so we can get it added.