MGASA-2012-0185
| Date: | July 30th, 2012 |
| Affected releases: | 1, 2 |
Description:
Updated qemu packages fix security vulnerability:
A flaw was found in how qemu, in snapshot mode (-snapshot command line
argument), handled the creation and opening of the temporary file used
to store the difference of the virtualized guest's read-only image and
the current state. In snapshot mode, bdrv_open() creates an empty
temporary file without checking for any mkstemp() or close() failures;
it also ignores the possibility of a buffer overrun given an
exceptionally long $TMPDIR. Because qemu re-opens that file after
creation, it is possible to race qemu and insert a symbolic link with
the same expected name as the temporary file, pointing to an
attacker-chosen file. This can be used to either overwrite the
destination file with the privileges of the user running qemu
(typically root), or to point to an attacker-readable file that could
expose data from the guest to the attacker (CVE-2012-2652).
Updated Packages:
Mageia 1:
qemu-0.14.0-5.1.1.mga1
qemu-img-0.14.0-5.1.1.mga1
Mageia 2:
qemu-1.0-6.1.mga2
qemu-img-1.0-6.1.mga2
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2652
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2652
http://lists.opensuse.org/opensuse-updates/2012-07/msg00012.html
https://bugs.mageia.org/show_bug.cgi?id=6694
