CVE-2012-2652

Debian Bug report logs - #678280
CVE-2012-2652

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2012-2652

Date: Wed, 20 Jun 2012 17:19:55 +0200

Package: qemu
Severity: grave
Tags: security

Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2652 for
details and a reference to the upstream patch.

Cheers,
        Moritz

Message #10 received at 678280-done@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@freegeek.org>

To: 678280-done@bugs.debian.org

Subject: Re: Bug#678280: CVE-2012-2652

Date: Thu, 21 Jun 2012 13:08:52 -0700

Version: 1.1.0+dfsg-1

On Wed, Jun 20, 2012 at 05:19:55PM +0200, Moritz Muehlenhoff wrote:
> Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2652 for
> details and a reference to the upstream patch.

This is fixed upstream, and included in qemu 1.1.0+dfsg-1, currently present in 
sid and wheezy in the following upstream git commit:

commit eba25057b9a5e19d10ace2bc7716667a31297169
Author: Jim Meyering <jim@meyering.net>
Date:   Mon May 28 09:27:54 2012 +0200

    block: prevent snapshot mode $TMPDIR symlink attack
    
    In snapshot mode, bdrv_open creates an empty temporary file without
    checking for mkstemp or close failure, and ignoring the possibility
    of a buffer overrun given a surprisingly long $TMPDIR.
    Change the get_tmp_filename function to return int (not void),
    so that it can inform its two callers of those failures.
    Also avoid the risk of buffer overrun and do not ignore mkstemp
    or close failure.
    Update both callers (in block.c and vvfat.c) to propagate
    temp-file-creation failure to their callers.
    
    get_tmp_filename creates and closes an empty file, while its
    callers later open that presumed-existing file with O_CREAT.
    The problem was that a malicious user could provoke mkstemp failure
    and race to create a symlink with the selected temporary file name,
    thus causing the qemu process (usually root owned) to open through
    the symlink, overwriting an attacker-chosen file.
    
    This addresses CVE-2012-2652.
    http://bugzilla.redhat.com/CVE-2012-2652
    
    Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
    Signed-off-by: Jim Meyering <meyering@redhat.com>
    Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

diff --git a/block.c b/block.c
index af2ab4f..7547051 100644
--- a/block.c
+++ b/block.c
@@ -409,28 +409,36 @@ int bdrv_create_file(const char* filename, QEMUOptionParameter *options)
     return bdrv_create(drv, filename, options);
 }
 
-#ifdef _WIN32
-void get_tmp_filename(char *filename, int size)
+/*
+ * Create a uniquely-named empty temporary file.
+ * Return 0 upon success, otherwise a negative errno value.
+ */
+int get_tmp_filename(char *filename, int size)
 {
+#ifdef _WIN32
     char temp_dir[MAX_PATH];
-
-    GetTempPath(MAX_PATH, temp_dir);
-    GetTempFileName(temp_dir, "qem", 0, filename);
-}
+    /* GetTempFileName requires that its output buffer (4th param)
+       have length MAX_PATH or greater.  */
+    assert(size >= MAX_PATH);
+    return (GetTempPath(MAX_PATH, temp_dir)
+            && GetTempFileName(temp_dir, "qem", 0, filename)
+            ? 0 : -GetLastError());
 #else
-void get_tmp_filename(char *filename, int size)
-{
     int fd;
     const char *tmpdir;
-    /* XXX: race condition possible */
     tmpdir = getenv("TMPDIR");
     if (!tmpdir)
         tmpdir = "/tmp";
-    snprintf(filename, size, "%s/vl.XXXXXX", tmpdir);
+    if (snprintf(filename, size, "%s/vl.XXXXXX", tmpdir) >= size) {
+        return -EOVERFLOW;
+    }
     fd = mkstemp(filename);
-    close(fd);
-}
+    if (fd < 0 || close(fd)) {
+        return -errno;
+    }
+    return 0;
 #endif
+}
 
 /*
  * Detect host devices. By convention, /dev/cdrom[N] is always
@@ -753,7 +761,10 @@ int bdrv_open(BlockDriverState *bs, const char *filename, int flags,
 
         bdrv_delete(bs1);
 
-        get_tmp_filename(tmp_filename, sizeof(tmp_filename));
+        ret = get_tmp_filename(tmp_filename, sizeof(tmp_filename));
+        if (ret < 0) {
+            return ret;
+        }
 
         /* Real path is meaningless for protocols */
         if (is_protocol)
diff --git a/block/vvfat.c b/block/vvfat.c
index 2dc9d50..0fd3367 100644
--- a/block/vvfat.c
+++ b/block/vvfat.c
@@ -2808,7 +2808,12 @@ static int enable_write_target(BDRVVVFATState *s)
     array_init(&(s->commits), sizeof(commit_t));
 
     s->qcow_filename = g_malloc(1024);
-    get_tmp_filename(s->qcow_filename, 1024);
+    ret = get_tmp_filename(s->qcow_filename, 1024);
+    if (ret < 0) {
+        g_free(s->qcow_filename);
+        s->qcow_filename = NULL;
+        return ret;
+    }
 
     bdrv_qcow = bdrv_find_format("qcow");
     options = parse_option_parameters("", bdrv_qcow->create_options, NULL);
diff --git a/block_int.h b/block_int.h
index b80e66d..3d4abc6 100644
--- a/block_int.h
+++ b/block_int.h
@@ -335,7 +335,7 @@ struct BlockDriverState {
     BlockJob *job;
 };
 
-void get_tmp_filename(char *filename, int size);
+int get_tmp_filename(char *filename, int size);
 
 void bdrv_set_io_limits(BlockDriverState *bs,
                         BlockIOLimit *io_limits);


live well,
  vagrant

Message #15 received at 678280@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@freegeek.org>

To: 678280@bugs.debian.org

Subject: Re: Bug#678280: CVE-2012-2652

Date: Mon, 25 Jun 2012 08:43:15 -0700

found 678280 0.12.5+dfsg-3squeeze1
tags 678280 patch
thanks

It turns out that the backport to squeeze may not be too difficult- 
committed a patch to the debian-squeeze branch of the git repo:

  http://anonscm.debian.org/gitweb/?p=pkg-qemu/qemu.git;a=commitdiff;h=5e785ce8d51737e47883a0e261559ea780f7fdf9

The patch applies, but I will not be able to build and test it any time soon.


live well,
  vagrant

Message #26 received at 678280-close@bugs.debian.org (full text, mbox, reply):

From: Michael Tokarev <mjt@tls.msk.ru>

To: 678280-close@bugs.debian.org

Subject: Bug#678280: fixed in qemu 0.12.5+dfsg-3squeeze2

Date: Sun, 09 Sep 2012 15:02:32 +0000

Source: qemu
Source-Version: 0.12.5+dfsg-3squeeze2

We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 678280@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated qemu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 08 Sep 2012 10:05:17 +0400
Source: qemu
Binary: qemu qemu-keymaps qemu-system qemu-user qemu-user-static qemu-utils libqemu-dev
Architecture: source all i386
Version: 0.12.5+dfsg-3squeeze2
Distribution: squeeze-security
Urgency: low
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Description: 
 libqemu-dev - static libraries and headers for QEMU
 qemu       - fast processor emulator
 qemu-keymaps - QEMU keyboard maps
 qemu-system - QEMU full system emulation binaries
 qemu-user  - QEMU user mode emulation binaries
 qemu-user-static - QEMU user mode emulation binaries (static version)
 qemu-utils - QEMU utilities
Closes: 678280 686973
Changes: 
 qemu (0.12.5+dfsg-3squeeze2) squeeze-security; urgency=low
 .
   * block-prevent-snapshot-mode-TMPDIR-symlink-attack-CVE-2012-2652.patch
     upstream fix for CVE-2012-2652, symlink attacks in snapshot mode.
     (Closes: #678280)
   * console-bounds-check-whenever-changing-the-cursor-CVE-2012-3515.patch
     upstream fix for CVE-2012-3515, VT100 emulation vulnerability.
     (Closes: #686973)
Checksums-Sha1: 
 6b7af7644ec0f33e2b45dac7cb97feec3c432a99 2136 qemu_0.12.5+dfsg-3squeeze2.dsc
 5b4bfa571215392329a2aa5a8f5e968483743366 3567505 qemu_0.12.5+dfsg.orig.tar.gz
 3446a8992a68c57460054c1befb84d32df7f1d6f 45890 qemu_0.12.5+dfsg-3squeeze2.diff.gz
 8861b4005927b5782b665be5bf4bedcd8c3ae88b 48022 qemu-keymaps_0.12.5+dfsg-3squeeze2_all.deb
 15faacdd8a79f492b5741ef2600401f556fa483c 105270 qemu_0.12.5+dfsg-3squeeze2_i386.deb
 2361b600b2bcef06f3a0caa3a4f9b971ac93d17c 12289554 qemu-system_0.12.5+dfsg-3squeeze2_i386.deb
 fa9c97bd2839eac22d90d4fb0fccaa0a2825a0ff 4208264 qemu-user_0.12.5+dfsg-3squeeze2_i386.deb
 3f26291db6ba9edb346f9f155fec06a1cbc0fbeb 8886132 qemu-user-static_0.12.5+dfsg-3squeeze2_i386.deb
 e68e13dc7a5832bf16ca7d2ed733dbfde627f3d9 367772 qemu-utils_0.12.5+dfsg-3squeeze2_i386.deb
 f399990d471328eba16ff09fac88bd11dfba8ce1 5000394 libqemu-dev_0.12.5+dfsg-3squeeze2_i386.deb
Checksums-Sha256: 
 a55381e5b79192e592f5d1f882e2de29bbb349ed14cd4b3b1a2bd6484dc0df75 2136 qemu_0.12.5+dfsg-3squeeze2.dsc
 6446fbff55001cb91e9219042ed7516df2a77b243b0b002f1aae7d5887ec9e9f 3567505 qemu_0.12.5+dfsg.orig.tar.gz
 52d94572fd91e57234ad83b9e962ad1f53c10dd2ca9e75c2278060f16be23bd6 45890 qemu_0.12.5+dfsg-3squeeze2.diff.gz
 3231ded7953670ff22bd0394da4e39e5d1ce34c21ed7775b2673f4765ecd88db 48022 qemu-keymaps_0.12.5+dfsg-3squeeze2_all.deb
 11f467e352e11e39dd77cccaf5b43ece7457199fc9a9b6e7301712b0647f9305 105270 qemu_0.12.5+dfsg-3squeeze2_i386.deb
 356c75eb46c7d681d4900559a27946817bdb9b405a7b4350bac25aa02b59f661 12289554 qemu-system_0.12.5+dfsg-3squeeze2_i386.deb
 f469b9c057571615e5df8723b19aaf1f3905606fe17ca2edd43d2e8df191c855 4208264 qemu-user_0.12.5+dfsg-3squeeze2_i386.deb
 89c28c5b484774a8e606a0f95b03461e01775443f82499362293584af7e8fad8 8886132 qemu-user-static_0.12.5+dfsg-3squeeze2_i386.deb
 863b86ce182fc09cb4d7702566bfacc6404e1a34fdafa19fa6889f2be601704d 367772 qemu-utils_0.12.5+dfsg-3squeeze2_i386.deb
 1a4a7af3fcad87e1f58a84c85ea821955849af8b5a8ba40c7308c1c6ab5b4630 5000394 libqemu-dev_0.12.5+dfsg-3squeeze2_i386.deb
Files: 
 6bc5931e2b95510dd75165aaebee27cf 2136 misc optional qemu_0.12.5+dfsg-3squeeze2.dsc
 dc0449d7d14eb2f248a2e77f9e301ced 3567505 misc optional qemu_0.12.5+dfsg.orig.tar.gz
 2753b0bf78078c41edfcb0a4211ec8cc 45890 misc optional qemu_0.12.5+dfsg-3squeeze2.diff.gz
 6cd0c39c421ea3afbc565906d0b75a51 48022 misc optional qemu-keymaps_0.12.5+dfsg-3squeeze2_all.deb
 6563c4a0832959b82ae7248ea9823ce6 105270 misc optional qemu_0.12.5+dfsg-3squeeze2_i386.deb
 d327e3208e791e2624b73fa4bdb847e6 12289554 misc optional qemu-system_0.12.5+dfsg-3squeeze2_i386.deb
 5e6fcf536c4a462e05501b2a872610c7 4208264 misc optional qemu-user_0.12.5+dfsg-3squeeze2_i386.deb
 0b976cb6a689fc7345e163a50b1fb723 8886132 misc optional qemu-user-static_0.12.5+dfsg-3squeeze2_i386.deb
 228e83b5fa11b473de07c7b0b9ca6e4a 367772 misc optional qemu-utils_0.12.5+dfsg-3squeeze2_i386.deb
 70af1c253fb207a0aa090498f73f417a 5000394 libdevel optional libqemu-dev_0.12.5+dfsg-3squeeze2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iJwEAQECAAYFAlBLjY8ACgkQUlPFrXTwyDhZUwP/U0toMqloZFBZrBsqutSHBIYM
sw7OuUCKlsYZQ1jW25+H7HOrUaI4ePWmVeRzZ2M8R60Lgf4KbKPK5NvGAnrgBZfP
sC9+BG+ZWNSCmJKMIuiwVy/N7dwpgc2uJ0+6C85W03eoVgtA0o9y7eywY2OaIG5n
YTJMwRThxKiF9lZMxLU=
=tgRt
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.