It was discovered that the Access Control List (ACL) implemented by
qemu-bridge-helper program could be bypassed in particular cases when the bridge
interface names are as long as IFNAMSIZ-1, ie 15 characters. If the ACL specified
in the /etc/qemu-kvm/bridge.conf file denies access to a bridge interface with
a name long IFNAMSIZ-1, but it allows all other interfaces, it is possible for
a local attacker to use qemu-bridge-helper to create a tap device and attach it
to a denied bridge interface, thus bypassing the ACL. This could be used by the
attacker to get access to confidential data transmitted on the bridge.
Name: Riccardo Schirone (Red Hat)
Red Hat Virtualization Hypervisor is not affected by this vulnerability, as its bridge configuration can not take the required form.
This flaw can only be exploited if `/etc/qemu*/bridge.conf` contains a line containing `allow all` or at least one line with a bridge name of at least 15 characters.
Created qemu tracking bugs for this issue:
Affects: fedora-all [bug 1726407]
*** Bug 1729958 has been marked as a duplicate of this bug. ***