Re: [Qemu-devel] [PATCH stable-1.1] qga: set umask 0077 when daemonizing (CVE-2013-2007)

["Andreas Färber" <afaerber@suse.de>]

Am 27.05.2013 02:11, schrieb Laszlo Ersek:
> On 05/26/13 15:34, Andreas Färber wrote:
>> From: Laszlo Ersek <lersek@redhat.com>
>>
>> The qemu guest agent creates a bunch of files with insecure permissions
>> when started in daemon mode. For example:
>>
>>   -rw-rw-rw- 1 root root /var/log/qemu-ga.log
>>   -rw-rw-rw- 1 root root /var/run/qga.state
>>   -rw-rw-rw- 1 root root /var/log/qga-fsfreeze-hook.log
>>
>> In addition, at least all files created with the "guest-file-open" QMP
>> command, and all files created with shell output redirection (or
>> otherwise) by utilities invoked by the fsfreeze hook script are affected.
>>
>> For now mask all file mode bits for "group" and "others" in
>> become_daemon().
>>
>> Temporarily, for compatibility reasons, stick with the 0666 file-mode in
>> case of files newly created by the "guest-file-open" QMP call. Do so
>> without changing the umask temporarily.
>>
>> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
>> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
>> (cherry picked from commit c689b4f1bac352dcfd6ecb9a1d45337de0f1de67)
>>
>> [AF: Use error_set() instead of error_setg*()]
>> Signed-off-by: Andreas Färber <afaerber@suse.de>
>> ---
>>  qemu-ga.c            |   2 +-
>>  qga/commands-posix.c | 117 +++++++++++++++++++++++++++++++++++++++++++++++++--
>>  2 files changed, 115 insertions(+), 4 deletions(-)
[...]
> Looks good to me.
> 
> Do you plan to backport
> 
>   8fe6bbc qga: distinguish binary modes in "guest_file_open_modes" map
>   2b72001 qga: unlink just created guest-file if fchmod() or fdopen()
>           fails on it
> 
> too? These are considered polish for the CVE fix.

I did backport both to openSUSE 12.2 - they apply without conflicts. :)
I mainly posted this one to check if there are better QERRs to use.

> Also, a side-note: existing world-writable log files etc. are not
> recreated nor have their modes changed, so maybe a release note or some
> such would be useful for admins ("delete your previous logfile &
> optional unix domain socket, or change their modes manually").

Feel free to add a note to the 1.5 Release Notes - it can then be copied
to the previous releases we backport this fix to.

Apart from 1.1 I backported to our 1.3 branch.

Andreas

-- 
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg