* Re: [Qemu-devel] [oss-security] QEMU 2.3.0 tmp vulns CVE request
[not found] <55537A9D.70306@redhat.com>
@ 2015-05-16 8:45 ` Michael Tokarev
2015-05-16 14:38 ` Jakub Wilk
0 siblings, 1 reply; 2+ messages in thread
From: Michael Tokarev @ 2015-05-16 8:45 UTC (permalink / raw)
To: oss-security; +Cc: qemu-devel
[Adding Cc qemu-devel@]
13.05.2015 19:23, Kurt Seifried wrote:
> So some suspicious looking tmp usage in qemu (I excluded the test
> scripts and builds scripts, they were rife with problems so hopefully
> people only build in trusted environments).
>
> Additionally there will no doubt be further QEMU issues found in the
> next few days/weeks as people start looking, I would ask that this be
> handled publicly unless it's Remote Code Exec or equivalent (e.g.
> CVE-2015-3456).
>
>
>
> ====================================================================
> http://wiki.qemu-project.org/download/qemu-2.3.0.tar.bz2
>
> ====================================================================
> ./roms/u-boot/tools/patman/series.py:
> ./roms/u-boot/lib/lzma/import_lzmasdk.sh
This is part of u-boot source maintained externally but included
in qemu sources tarball. It is not used directly even for building
qemu, used only by relevant maintainers when they update files in
pc-bios/ which are produced from this set of sources. If the bug
is to be assigned, it should be filed against u-boot not qemu.
> ====================================================================
> ./roms/ipxe/src/util/niclist.pl:
The same thing, it is ipxe source, not used by qemu in any way.
> ====================================================================
>
> ./net/slirp.c:
> snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d",
> (long)getpid(), instance++);
This one is real, used for -smb argument, to start smbd, making
its configuration. Maybe tmpnam() should be used here.
> ====================================================================
> ./tcg/tcg.c:
> #ifdef DEBUG_JIT
> /* Enable this block to be able to debug the ELF image file creation.
> One can use readelf, objdump, or other inspection utilities. */
> {
> FILE *f = fopen("/tmp/qemu.jit", "w+b");
> if (f) {
> if (fwrite(img, img_size, 1, f) != img_size) {
> /* Avoid stupid unused return value warning for fwrite. */
> }
> fclose(f);
> }
> }
> #endif
This is solely for debugging by JIT maintainers. Not useful for or
used by users.
>From all the above, only net/slirp.c issue might be of interest.
Thanks,
/mjt
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [Qemu-devel] [oss-security] QEMU 2.3.0 tmp vulns CVE request
2015-05-16 8:45 ` [Qemu-devel] [oss-security] QEMU 2.3.0 tmp vulns CVE request Michael Tokarev
@ 2015-05-16 14:38 ` Jakub Wilk
0 siblings, 0 replies; 2+ messages in thread
From: Jakub Wilk @ 2015-05-16 14:38 UTC (permalink / raw)
To: oss-security; +Cc: qemu-devel
* Michael Tokarev <mjt@tls.msk.ru>, 2015-05-16, 11:45:
>>./net/slirp.c:
>> snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d",
>> (long)getpid(), instance++);
>
>This one is real, used for -smb argument, to start smbd, making its
>configuration. Maybe tmpnam() should be used here.
"Never use this function. Use mkstemp(3) or tmpfile(3) instead."
--
Jakub Wilk
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-05-16 14:38 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <55537A9D.70306@redhat.com>
2015-05-16 8:45 ` [Qemu-devel] [oss-security] QEMU 2.3.0 tmp vulns CVE request Michael Tokarev
2015-05-16 14:38 ` Jakub Wilk
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).