Home page logo
/

oss-sec logo oss-sec mailing list archives

CVE Request: qemu -runas does not clear supplementary groups
From: Michael Tokarev <mjt () tls msk ru>
Date: Tue, 12 Jul 2011 20:48:59 +0400

There's a missing initgroups() call in qemu in the -runas
argument handling.  Details are available on

 https://bugs.launchpad.net/qemu/+bug/807893

in short, -runas is supposed to reduce privileges to a
bare minimum (after all initialization is completed),
but the process still has all the supplementary groups
which should be dropped too.

Can a CVE id be assigned for this issue?

Thanks,

/mjt


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]