Bugzilla – Bug 958993
VUL-1: CVE-2015-8556: qemu: Local Privilege Escalation in QEMU virtfs-proxy-helper
Last modified: 2016-04-27 20:10:53 UTC
public via oss-sec no cve yet From: "Jason A. Donenfeld" <Jason@zx2c4.com> Subject: [oss-security] CVE Request: Local Privilege Escalation in QEMU virtfs-proxy-helper Date: Mon, 14 Dec 2015 12:14:39 +0100 Hi folks, Some distros make qemu's virtfs-proxy-helper binary either SUID or give it filesystem capabilities such as cap_chown. This is completely insane for a wide variety of reasons; there are quite a few ways of abusing this to elevate privileges. This commit fixes the issue in Gentoo: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=183dd7394703b49c7af441a9c4227b4b91453510 The commit message contains a TOCTOU PoC. Can we get a CVE for this blunder? Other distributions - you might want to double check that you're not making a similar mistake. I have no idea if QEMU upstream recommends suid/fscaps in some documentation, or something similar, in which case that'll need to be changed. Thanks, Jason
Note that this helper has no special privileges on SUSE or openSUSE, so we are not affected.
bugbot adjusting priority
(In reply to Marcus Meissner from comment #1) > Note that this helper has no special privileges on SUSE or openSUSE, so we > are not affected. Agreed. Not an issue in our releases.