Bug 1656114 (CVE-2018-16872)

Summary: CVE-2018-16872 QEMU: usb-mtp: path traversal by host filesystem manipulation in Media Transfer Protocol (MTP)
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ailan, amit, areis, berrange, cfergeau, dbecker, drjones, dwmw2, imammedo, itamar, jen, jforbes, jjoyce, jschluet, kbasil, knoel, lhh, lpeer, m.a.young, mburns, mkenneth, mrezanin, mst, pbonzini, ppandit, public, rbalakri, rjones, rkrcmar, robinlee.sysu, sclewis, security-response-team, slinaber, virt-maint, virt-maint, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was found in QEMU's Media Transfer Protocol (MTP). The code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical TOCTTOU problem. An attacker with write access to the host filesystem, shared with a guest, can use this property to navigate the host filesystem in the context of the QEMU process and read any file the QEMU process has access to. Access to the filesystem may be local or via a network share protocol such as CIFS.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:43:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1659150    
Bug Blocks: 1654890    

Description Laura Pardo 2018-12-04 17:31:23 UTC
A flaw was found in qemu Media Transfer Protocol (MTP). The code opening files
in usb_mtp_get_object and usb_mtp_get_partial_object and directories in
usb_mtp_object_readdir doesn't consider that the underlying filesystem may have
changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical
TOCTTOU problem. An attacker with write access to the host filesystem shared with
a guest can use this property to navigate the host filesystem in the context of
the QEMU process and read any file the QEMU process has access to. Access to the
filesystem may be local or via a network share protocol such as CIFS.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg03135.html

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2018/12/13/11

Comment 1 Laura Pardo 2018-12-04 17:31:37 UTC
Acknowledgments:

Name: Michael Hanselmann (hansmi.ch)

Comment 2 Prasad J Pandit 2018-12-13 17:11:15 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1659150]