| |||||||||||||||||||
Mageia alert MGASA-2012-0185 (qemu)
MGASA-2012-0185 Date: July 30th, 2012 Affected releases: 1, 2 Description: Updated qemu packages fix security vulnerability: A flaw was found in how qemu, in snapshot mode (-snapshot command line argument), handled the creation and opening of the temporary file used to store the difference of the virtualized guest's read-only image and the current state. In snapshot mode, bdrv_open() creates an empty temporary file without checking for any mkstemp() or close() failures; it also ignores the possibility of a buffer overrun given an exceptionally long $TMPDIR. Because qemu re-opens that file after creation, it is possible to race qemu and insert a symbolic link with the same expected name as the temporary file, pointing to an attacker-chosen file. This can be used to either overwrite the destination file with the privileges of the user running qemu (typically root), or to point to an attacker-readable file that could expose data from the guest to the attacker (CVE-2012-2652). Updated Packages: Mageia 1: qemu-0.14.0-5.1.1.mga1 qemu-img-0.14.0-5.1.1.mga1 Mageia 2: qemu-1.0-6.1.mga2 qemu-img-1.0-6.1.mga2 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2652 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2652 http://lists.opensuse.org/opensuse-updates/2012-07/msg000... https://bugs.mageia.org/show_bug.cgi?id=6694 https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-... (Log in to post comments)
|
|||||||||||||||||||