* Re: [Qemu-devel] [oss-security] QEMU 2.3.0 tmp vulns CVE request
[not found] <55537A9D.70306@redhat.com>
@ 2015-05-16 8:45 ` Michael Tokarev
2015-05-16 14:38 ` Jakub Wilk
0 siblings, 1 reply; 2+ messages in thread
From: Michael Tokarev @ 2015-05-16 8:45 UTC (permalink / raw)
To: oss-security; +Cc: qemu-devel
[Adding Cc qemu-devel@]
13.05.2015 19:23, Kurt Seifried wrote:
> So some suspicious looking tmp usage in qemu (I excluded the test
> scripts and builds scripts, they were rife with problems so hopefully
> people only build in trusted environments).
>
> Additionally there will no doubt be further QEMU issues found in the
> next few days/weeks as people start looking, I would ask that this be
> handled publicly unless it's Remote Code Exec or equivalent (e.g.
> CVE-2015-3456).
>
>
>
> ====================================================================
> http://wiki.qemu-project.org/download/qemu-2.3.0.tar.bz2
>
> ====================================================================
> ./roms/u-boot/tools/patman/series.py:
> ./roms/u-boot/lib/lzma/import_lzmasdk.sh
This is part of u-boot source maintained externally but included
in qemu sources tarball. It is not used directly even for building
qemu, used only by relevant maintainers when they update files in
pc-bios/ which are produced from this set of sources. If the bug
is to be assigned, it should be filed against u-boot not qemu.
> ====================================================================
> ./roms/ipxe/src/util/niclist.pl:
The same thing, it is ipxe source, not used by qemu in any way.
> ====================================================================
>
> ./net/slirp.c:
> snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d",
> (long)getpid(), instance++);
This one is real, used for -smb argument, to start smbd, making
its configuration. Maybe tmpnam() should be used here.
> ====================================================================
> ./tcg/tcg.c:
> #ifdef DEBUG_JIT
> /* Enable this block to be able to debug the ELF image file creation.
> One can use readelf, objdump, or other inspection utilities. */
> {
> FILE *f = fopen("/tmp/qemu.jit", "w+b");
> if (f) {
> if (fwrite(img, img_size, 1, f) != img_size) {
> /* Avoid stupid unused return value warning for fwrite. */
> }
> fclose(f);
> }
> }
> #endif
This is solely for debugging by JIT maintainers. Not useful for or
used by users.
>From all the above, only net/slirp.c issue might be of interest.
Thanks,
/mjt
^ permalink raw reply [flat|nested] 2+ messages in thread