[Secure-testing-team] Bug#705544: CVE-2013-1922 -- qemu-nbd block format auto-detection vulnerability
Michael Tokarev
mjt at tls.msk.ru
Tue Apr 16 14:28:33 UTC 2013
Package: qemu-utils
Version: 1.1.2+dfsg-1
Severity: normal
Tags: security patch upstream
qemu-nbd utility does not has an option to specify format of the block
image it serves, so it is possible by a guest (user of nbd device) to
write data to it the way so it looks like some format known to qemu-nbd,
and the next time qemu-nbd is restarted with the same image, it will be
tricked to interpret (probably especially crafted) that format.
It is very similar to old vulnerability in qemu itself, CVE-2008-2004.
https://bugzilla.redhat.com/show_bug.cgi?id=923219
http://www.openwall.com/lists/oss-security/2013/04/15/3
The upstream fix -- https://bugzilla.redhat.com/attachment.cgi?id=712650&action=diff --
merely adds an option to qemu-nbd that allows to specify format of the
image explicitly instead of always relying on guessing.
I don't think this is a serious issue, for several reasons:
o qemu-nbd isn't usually used in production where there's a chance to
hit a malicious guest. Instead, it is used mostly for testing or for
access to the guest image from host, for administrative purposes, in
both cases the issue isn't serious.
o even when modified to understand a new option, all relevant usages should
be modified as well, to utilize the new option.
However, it's still nice to fix it in debian package. I'm not sure yet
whenever we should fix it for wheezy or not.
Thanks,
/mjt
More information about the Secure-testing-team
mailing list