Bug 444583 (CVE-2008-2004) - CVE-2008-2004 qemu/kvm/xen: qemu block format auto-detection vulnerability
Summary: CVE-2008-2004 qemu/kvm/xen: qemu block format auto-detection vulnerability
Status: CLOSED CURRENTRELEASE
Alias: CVE-2008-2004
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: source=vendorsec,reported=20080417,pu...
Keywords:
Depends On: 444700 444701
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-04-29 11:23 UTC by Jan Lieskovsky
Modified: 2009-09-11 09:03 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-11 09:03:51 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch for kvm from Chris Wright (2.94 KB, patch)
2008-04-29 11:33 UTC, Tomas Hoger
no flags Details | Diff
Proposed patch for qemu from Chris Wright and Aurelien Jarno (2.95 KB, patch)
2008-04-29 11:35 UTC, Tomas Hoger
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0194 normal SHIPPED_LIVE Important: xen security and bug fix update 2008-05-13 12:28:04 UTC

Description Jan Lieskovsky 2008-04-29 11:23:20 UTC
Description of problem:

Chris Wright has reported the following kvm qemu block format issue:

<cite>

It is possible for a guest with a raw formatted disk image to write a
header to that disk image describing another format (such as qcow2).
Stopping and subsequent restart of the guest will cause qemu to detect
that format, and could allow the guest to read any host file if qemu is
sufficiently privileged (typical in virt environments).

The patch defaults to existing behaviour (probing based on file contents),
so it still requires the mgmt app (e.g. libvirt xml) to pass a new
"format=raw" parameter for raw disk images.

</cite>

Comment 3 Tomas Hoger 2008-04-29 11:33:44 UTC
Created attachment 304107 [details]
Proposed patch for kvm from Chris Wright

Comment 4 Tomas Hoger 2008-04-29 11:35:03 UTC
Created attachment 304108 [details]
Proposed patch for qemu from Chris Wright and Aurelien Jarno

Committed in upstream SVN:

http://svn.savannah.nongnu.org/viewvc/trunk/vl.c?root=qemu&r1=4266&r2=4277
http://svn.savannah.nongnu.org/viewvc/trunk/vl.c?root=qemu&r1=4278&r2=4279

Comment 5 Tomas Hoger 2008-04-29 11:46:57 UTC
Proposed patch adds additional parameter -- format=XXX -- to -drive command line
option used by qemu(-kvm), but format auto-detection is still the default.  So
by itself, the patch does not resolve the issue.

Users will have to specify parameter 'format=raw' explicitly if they are running
qemu(-kvm) directly and they use disks with raw format.  Adding support for this
new option to libvirt should probably be considered.

Comment 7 Chris Lalancette 2009-09-11 09:03:51 UTC
This was fixed in all of the relevant streams, so closing out this tracker but as CURRENTRELEASE.

Chris Lalancette


Note You need to log in before you can comment on or make changes to this bug.