Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 466092 (CVE-2013-1922) - <app-emulation/qemu-1.4.1 : qemu-nbd Arbitrary File Disclosure Vulnerability (CVE-2013-1922)
Summary: <app-emulation/qemu-1.4.1 : qemu-nbd Arbitrary File Disclosure Vulnerability ...
Status: RESOLVED FIXED
Alias: CVE-2013-1922
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/53032/
Whiteboard: B4 [noglsa]
Keywords:
: 471116 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-04-16 12:40 UTC by Agostino Sarubbo
Modified: 2013-09-02 10:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-04-16 12:40:10 UTC
From ${URL} :

Description
A vulnerability has been reported in Qemu, which can be exploited by malicious, local users in a 
guest virtual machine to disclose certain sensitive information.

The vulnerability is caused due to an error within the qemu-nbd tool, which does not properly check 
the format specification when parsing a disk image and can be exploited to read arbitrary files 
from the host.

The vulnerability is reported in versions prior to 1.4.1.


Solution
Update to version 1.4.1.

Provided and/or discovered by
Daniel Berrange, Red Hat in a GIT commit.

Original Advisory
http://git.qemu.org/?p=qemu.git;a=log;h=refs/tags/v1.4.1
https://bugzilla.redhat.com/show_bug.cgi?id=923219


@maintainer(s): after the bump, please say explicitly if the package is ready for the stabilization or not
Comment 1 Doug Goldstein gentoo-dev 2013-05-30 02:17:56 UTC
This has been in the tree and ready for stabilization. This bug slipped through the cracks when my sons were born unfortunately.

TARGET KEYWORDS: amd64 x86
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-05-30 05:17:47 UTC
*** Bug 471116 has been marked as a duplicate of this bug. ***
Comment 3 Tomáš "tpruzina" Pružina (amd64 [ex]AT) 2013-06-02 14:35:40 UTC
amd64: ok (build+run tested fine, repoman -d complains about dependencies btw)
Comment 4 Agostino Sarubbo gentoo-dev 2013-06-04 12:31:29 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-06-04 12:33:11 UTC
x86 stable
Comment 6 Chris Reffett gentoo-dev Security 2013-08-31 23:59:38 UTC
GLSA vote: no.
Comment 7 Sergey Popov gentoo-dev Security 2013-09-02 10:28:42 UTC
GLSA vote: no

Closing as noglsa