Virtiofs is still vulnerable to CVE-2018-13405 even with an upstream host and guest kernel which has fixed this CVE. A local user in the guest can still create files in the directories shared by virtiofs with unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. Here, the non-member can trigger the creation of a plain file whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID.
Acknowledgments: Red Hat would like to thank Jietao Xiao (shawtao1125), Jinku Li (jkli.cn), Wenbo Shen (shenwenbo.cn), Nanzi Yang (nzyang.edu.cn) for reporting this issue.
Upstream patch: https://lists.nongnu.org/archive/html/qemu-devel/2022-01/msg05364.html
Qemu pull sent: https://lists.gnu.org/archive/html/qemu-devel/2022-01/msg05447.html
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 2046202]
Merged in upstream qemu / virtiofsd c code: 449e8171f96a6a944d1f - virtiofsd: Drop membership of all supplementary groups (CVE-2022-0358)
I think I've POSTed all the RHEL and c9s bugs now; not done the fedora one - I'll leave that to someone who knows Fedora process.
Upstream commit: https://gitlab.com/qemu-project/qemu/-/commit/449e8171f96a6a944d1f3b7d3627ae059eae21ca
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0759 https://access.redhat.com/errata/RHSA-2022:0759
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0886 https://access.redhat.com/errata/RHSA-2022:0886
This issue has been addressed in the following products: Advanced Virtualization for RHEL 8.5.0.Z Via RHSA-2022:0949 https://access.redhat.com/errata/RHSA-2022:0949
This issue has been addressed in the following products: Advanced Virtualization for RHEL 8.4.0.EUS Via RHSA-2022:0971 https://access.redhat.com/errata/RHSA-2022:0971
This issue has been addressed in the following products: Advanced Virtualization for RHEL 8.2.1 Via RHSA-2022:0973 https://access.redhat.com/errata/RHSA-2022:0973
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-0358