From ${URL} : Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper link following issue. It could occur while accessing symbolic link files on a shared host directory. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host. Upstream patches: ----------------- -> Reference: ---------- -> http://wiki.qemu.org/Documentation/9psetup @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
In order to fix this security issue, we will probably have to wait for upstream to release a new version containing this absolutely non-trivial patch set. [1] https://lists.gnu.org/archive/html/qemu-devel/2017-01/msg06225.html
Update: The patches are still not approved by upstream… Project zero derestricted their tracker bug (with POC) [1]. [1] https://bugs.chromium.org/p/project-zero/issues/detail?id=1035&can=6&q=
Finally... commit 938d91b3e98a08d43a692155db159f63437c2995 Author: Matthias Maier <tamiko@gentoo.org> Date: Mon Mar 27 06:53:54 2017 -0500 app-emulation/qemu: Apply upstream patches for CVE-2016-9602, bug #606088 Package-Manager: Portage-2.3.3, Repoman-2.3.2
Arches, please test and mark stable =app-emulation/qemu-2.8.0-r9 Target-keywords: "amd64 x86"
Added to an existing GLSA Request. Since we are writing up a GLSA for QEMU, adding this to the current one, and will release it when stabilization is complete.
amd64 stable
x86 stable. Maintainer(s), please cleanup.
commit 8e6a5f44a3119c14be5245fec2e4ee2528c573bc Author: Matthias Maier <tamiko@gentoo.org> Date: Sat Apr 1 21:25:20 2017 -0500 app-emulation/qemu: drop vulnerable, bug #606088 Package-Manager: Portage-2.3.3, Repoman-2.3.2
This issue was resolved and addressed in GLSA 201704-01 at https://security.gentoo.org/glsa/201704-01 by GLSA coordinator Kristian Fiskerstrand (K_F).