Bug 2223985 (CVE-2023-1386) - CVE-2023-1386 QEMU: 9pfs: SUID/SGID bits not dropped on file write
Summary: CVE-2023-1386 QEMU: 9pfs: SUID/SGID bits not dropped on file write
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2023-1386
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2223986
Blocks: 2175653
TreeView+ depends on / blocked
 
Reported: 2023-07-19 13:03 UTC by Mauro Matteo Cascella
Modified: 2024-04-17 16:49 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: ---
Doc Text:
A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host.
Clone Of:
Environment:
Last Closed: 2023-07-19 13:03:49 UTC
Embargoed:

Attachments (Terms of Use)

Description Mauro Matteo Cascella 2023-07-19 13:03:13 UTC 
A flaw was discovered in 9pfs. Jietao Xiao and his team found that when a local user in the guest tries to write an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances(exist an executable file owned by root, writable by others, has SUID/SGID bits), this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host's local user to elevate privileges on the host.

Upstream issue:
https://github.com/v9fs/linux/issues/29
Comment 1 Mauro Matteo Cascella 2023-07-19 13:03:32 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 2223986]
Note You need to log in before you can comment on or make changes to this bug.