Bug 824919 (CVE-2012-2652)

Summary: CVE-2012-2652 qemu: vulnerable to temporary file symlink attacks
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acathrow, anthony, areis, armbru, berrange, bsarathy, ehabkost, jrusnack, knoel, kwolf, minovotn, mkenneth, mtosatti, pmatouse, rhod, rjones, security-response-team, tburke, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20120528,reported=20120523,source=redhat,cvss2=4.6/AV:L/AC:L/Au:N/C:P/I:P/A:P,rhel-5/kvm=affected,rhel-6.3.z/qemu-kvm=affected,rhel-6.4/qemu-kvm=affected,fedora-all/qemu=affected,cwe=CWE-367
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-24 09:31:40 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 825686, 825687, 825690, 825691, 825697    
Bug Blocks: 824924    

Description Vincent Danen 2012-05-24 11:35:39 EDT
A flaw was found in how qemu, in snapshot mode (-snapshot command line argument), handled the creation and opening of the temporary file used to store the difference of the virtualized guest's read-only image and the current state.  In snapshot mode, bdrv_open() creates an empty temporary file without checking for any mkstemp() or close() failures; it also ignores the possibility of a buffer overrun given an exceptionally long $TMPDIR.  Because qemu re-opens that file after creation, it is possible to race qemu and insert a symbolic link with the same expected name as the temporary file, pointing to an attacker-chosen file.  This can be used to either overwrite the destination file with the privileges of the user running qemu (typically root), or to point to an attacker-readable file that could expose data from the guest to the attacker.

This flaw has been assigned the name CVE-2012-2652.
Comment 1 Jim Meyering 2012-05-28 03:32:05 EDT
To accommodate the imminent release of qemu-1.1,
I've posted the report and patch on the upstream mailing list:

Comment 5 Petr Matousek 2012-05-28 04:55:15 EDT
Created qemu tracking bugs for this issue

Affects: fedora-all [bug 825697]
Comment 9 Fedora Update System 2012-08-09 18:59:55 EDT
qemu-0.15.1-7.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2012-08-09 19:02:02 EDT
qemu-1.0.1-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.