oss-sec mailing list archives

Re: QEMU 2.3.0 tmp vulns CVE request

From: Michael Tokarev <mjt () tls msk ru>
Date: Sat, 16 May 2015 11:45:27 +0300

[Adding Cc qemu-devel@]

13.05.2015 19:23, Kurt Seifried wrote:

So some suspicious looking tmp usage in qemu (I excluded the test
scripts and builds scripts, they were rife with problems so hopefully
people only build in trusted environments).

Additionally there will no doubt be further QEMU issues found in the
next few days/weeks as people start looking, I would ask that this be
handled publicly unless it's Remote Code Exec or equivalent (e.g.
CVE-2015-3456).



====================================================================
http://wiki.qemu-project.org/download/qemu-2.3.0.tar.bz2

====================================================================
./roms/u-boot/tools/patman/series.py:
./roms/u-boot/lib/lzma/import_lzmasdk.sh


This is part of u-boot source maintained externally but included
in qemu sources tarball.  It is not used directly even for building
qemu, used only by relevant maintainers when they update files in
pc-bios/ which are produced from this set of sources.  If the bug
is to be assigned, it should be filed against u-boot not qemu.

====================================================================
./roms/ipxe/src/util/niclist.pl:


The same thing, it is ipxe source, not used by qemu in any way.

====================================================================

./net/slirp.c:
    snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d",
             (long)getpid(), instance++);


This one is real, used for -smb argument, to start smbd, making
its configuration.  Maybe tmpnam() should be used here.

====================================================================
./tcg/tcg.c:
#ifdef DEBUG_JIT
    /* Enable this block to be able to debug the ELF image file creation.
       One can use readelf, objdump, or other inspection utilities.  */
    {
        FILE *f = fopen("/tmp/qemu.jit", "w+b");
        if (f) {
            if (fwrite(img, img_size, 1, f) != img_size) {
                /* Avoid stupid unused return value warning for fwrite.  */
            }
            fclose(f);
        }
    }
#endif


This is solely for debugging by JIT maintainers.  Not useful for or
used by users.

From all the above, only net/slirp.c issue might be of interest.


Thanks,

/mjt

Current thread:

QEMU 2.3.0 tmp vulns CVE request Kurt Seifried (May 13)
- Re: QEMU 2.3.0 tmp vulns CVE request Michael Tokarev (May 16)
  - Re: QEMU 2.3.0 tmp vulns CVE request Jakub Wilk (May 16)
- Re: QEMU 2.3.0 tmp vulns CVE request cve-assign (May 23)