Bug 1656114 (CVE-2018-16872) - CVE-2018-16872 QEMU: usb-mtp: path traversal by host filesystem manipulation in Media Transfer Protocol (MTP)
Summary: CVE-2018-16872 QEMU: usb-mtp: path traversal by host filesystem manipulation ...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2018-16872
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1659150
Blocks: 1654890
TreeView+ depends on / blocked
 
Reported: 2018-12-04 17:31 UTC by Laura Pardo
Modified: 2019-09-29 15:03 UTC (History)
37 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in QEMU's Media Transfer Protocol (MTP). The code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical TOCTTOU problem. An attacker with write access to the host filesystem, shared with a guest, can use this property to navigate the host filesystem in the context of the QEMU process and read any file the QEMU process has access to. Access to the filesystem may be local or via a network share protocol such as CIFS.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:43:33 UTC


Attachments (Terms of Use)

Description Laura Pardo 2018-12-04 17:31:23 UTC
A flaw was found in qemu Media Transfer Protocol (MTP). The code opening files
in usb_mtp_get_object and usb_mtp_get_partial_object and directories in
usb_mtp_object_readdir doesn't consider that the underlying filesystem may have
changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical
TOCTTOU problem. An attacker with write access to the host filesystem shared with
a guest can use this property to navigate the host filesystem in the context of
the QEMU process and read any file the QEMU process has access to. Access to the
filesystem may be local or via a network share protocol such as CIFS.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg03135.html

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2018/12/13/11

Comment 1 Laura Pardo 2018-12-04 17:31:37 UTC
Acknowledgments:

Name: Michael Hanselmann (hansmi.ch)

Comment 2 Prasad J Pandit 2018-12-13 17:11:15 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1659150]


Note You need to log in before you can comment on or make changes to this bug.