Bug 444583 - (CVE-2008-2004) CVE-2008-2004 qemu/kvm/xen: qemu block format auto-detection vulnerability
CVE-2008-2004 qemu/kvm/xen: qemu block format auto-detection vulnerability
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
source=vendorsec,reported=20080417,pu...
:
Depends On: 444700 444701
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-29 07:23 EDT by Jan Lieskovsky
Modified: 2009-09-11 05:03 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-11 05:03:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch for kvm from Chris Wright (2.94 KB, patch)
2008-04-29 07:33 EDT, Tomas Hoger
no flags Details | Diff
Proposed patch for qemu from Chris Wright and Aurelien Jarno (2.95 KB, patch)
2008-04-29 07:35 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2008-04-29 07:23:20 EDT
Description of problem:

Chris Wright has reported the following kvm qemu block format issue:

<cite>

It is possible for a guest with a raw formatted disk image to write a
header to that disk image describing another format (such as qcow2).
Stopping and subsequent restart of the guest will cause qemu to detect
that format, and could allow the guest to read any host file if qemu is
sufficiently privileged (typical in virt environments).

The patch defaults to existing behaviour (probing based on file contents),
so it still requires the mgmt app (e.g. libvirt xml) to pass a new
"format=raw" parameter for raw disk images.

</cite>
Comment 3 Tomas Hoger 2008-04-29 07:33:44 EDT
Created attachment 304107 [details]
Proposed patch for kvm from Chris Wright
Comment 4 Tomas Hoger 2008-04-29 07:35:03 EDT
Created attachment 304108 [details]
Proposed patch for qemu from Chris Wright and Aurelien Jarno

Committed in upstream SVN:

http://svn.savannah.nongnu.org/viewvc/trunk/vl.c?root=qemu&r1=4266&r2=4277
http://svn.savannah.nongnu.org/viewvc/trunk/vl.c?root=qemu&r1=4278&r2=4279
Comment 5 Tomas Hoger 2008-04-29 07:46:57 EDT
Proposed patch adds additional parameter -- format=XXX -- to -drive command line
option used by qemu(-kvm), but format auto-detection is still the default.  So
by itself, the patch does not resolve the issue.

Users will have to specify parameter 'format=raw' explicitly if they are running
qemu(-kvm) directly and they use disks with raw format.  Adding support for this
new option to libvirt should probably be considered.
Comment 7 Chris Lalancette 2009-09-11 05:03:51 EDT
This was fixed in all of the relevant streams, so closing out this tracker but as CURRENTRELEASE.

Chris Lalancette

Note You need to log in before you can comment on or make changes to this bug.