A flaw was found in how qemu, in snapshot mode (-snapshot command line argument), handled the creation and opening of the temporary file used to store the difference of the virtualized guest's read-only image and the current state. In snapshot mode, bdrv_open() creates an empty temporary file without checking for any mkstemp() or close() failures; it also ignores the possibility of a buffer overrun given an exceptionally long $TMPDIR. Because qemu re-opens that file after creation, it is possible to race qemu and insert a symbolic link with the same expected name as the temporary file, pointing to an attacker-chosen file. This can be used to either overwrite the destination file with the privileges of the user running qemu (typically root), or to point to an attacker-readable file that could expose data from the guest to the attacker.
This flaw has been assigned the name CVE-2012-2652.
To accommodate the imminent release of qemu-1.1,
I've posted the report and patch on the upstream mailing list:
Created qemu tracking bugs for this issue
Affects: fedora-all [bug 825697]
qemu-0.15.1-7.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
qemu-1.0.1-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.