Bug 1792130 (CVE-2020-7211) - CVE-2020-7211 QEMU: Slirp: potential directory traversal using relative paths via tftp server on Windows host
Summary: CVE-2020-7211 QEMU: Slirp: potential directory traversal using relative paths...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-7211
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1792132 1792144 1792145 1792146 1792147 1792148 1792149 1792150 1792151 1792152 1792153 1792154
Blocks: 1693188
TreeView+ depends on / blocked
 
Reported: 2020-01-17 06:18 UTC by Prasad Pandit
Modified: 2023-09-15 00:20 UTC (History)
55 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A potential directory traversal issue was found in the tftp server of the SLiRP user-mode networking implementation used by QEMU. It could occur on a Windows host, as it allows the use of both forward ('/') and backward slash('\') tokens as separators in a file path. A user able to access the tftp server could use this flaw to access undue files by using relative paths.
Clone Of:
Environment:
Last Closed: 2020-01-21 08:10:19 UTC
Embargoed:

Attachments (Terms of Use)

Description Prasad Pandit 2020-01-17 06:18:36 UTC 
A potential directory traversal issue was found in the tftp server
of the SLiRP user-mode networking implementation used by QEMU.
It could occur on Windows host, as it allows to use both forward ('/')
and backward slash('\') tokens as separators in a file path.

A user able to access the tftp server could use this flaw to access
undue files by using relative paths.

Upstream patch:
---------------
  -> https://gitlab.freedesktop.org/slirp/libslirp/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2020/01/17/2
Comment 4 Prasad Pandit 2020-01-17 06:33:34 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1792132]
Comment 13 Eric Christensen 2020-01-20 15:47:00 UTC 
External References:

https://www.voidsecurity.in/2019/01/virtualbox-tftp-server-pxe-boot.html
Comment 14 Prasad Pandit 2020-01-20 16:59:10 UTC 
Acknowledgments:

Name: Reno Robert
Comment 16 Product Security DevOps Team 2020-01-21 08:10:19 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-7211
Comment 17 Joshua Padman 2020-01-21 08:39:54 UTC 
Statement:

This issue affects user-mode or SLiRP networking implementation of the QEMU emulator. Though qemu-kvm package is built with SLiRP networking support, due to its limitations, it is not used by the virtual machine guests by default.

This issue does not affect the versions of the qemu-kvm package as shipped with Red Hat Enterprise Linux 5, 6, 7, 8, Red Hat OpenStack, Red Hat Virtualization and Red Hat Enterprise Linux Advanced Virtualization 8.
Comment 19 Red Hat Bugzilla 2023-09-15 00:20:49 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days
Note You need to log in before you can comment on or make changes to this bug.