exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Mandriva Linux Security Advisory 2013-121 https://packetstormsecurity.com/files/121252/MDVSA-2013-121.txt https://packetstormsecurity.com/files/121252/MDVSA-2013-121.txt https://packetstormsecurity.com/files/121252/Mandriva-Linux-Security-Advisory-2013-121.html Thu, 11 Apr 2013 02:35:05 GMT Mandriva Linux Security Advisory 2013-121 - A flaw was found in how qemu, in snapshot mode (-snapshot command line argument), handled the creation and opening of the temporary file used to store the difference of the virtualized guest's read-only image and the current state. In snapshot mode, bdrv_open() creates an empty temporary file without checking for any mkstemp() or close() failures; it also ignores the possibility of a buffer overrun given an exceptionally long /tmp. Because qemu re-opens that file after creation, it is possible to race qemu and insert a symbolic link with the same expected name as the temporary file, pointing to an attacker-chosen file. This can be used to either overwrite the destination file with the privileges of the user running qemu , or to point to an attacker-readable file that could expose data from the guest to the attacker. A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host. It was discovered that the e1000 emulation code in QEMU does not enforce frame size limits in the same way as the real hardware does. This could trigger buffer overflows in the guest operating system driver for that network card, assuming that the host system does not discard such frames.

Related Files

No related files
packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close