Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <55537A9D.70306@redhat.com>
Date: Wed, 13 May 2015 10:23:57 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: QEMU 2.3.0 tmp vulns CVE request

So some suspicious looking tmp usage in qemu (I excluded the test
scripts and builds scripts, they were rife with problems so hopefully
people only build in trusted environments).

Additionally there will no doubt be further QEMU issues found in the
next few days/weeks as people start looking, I would ask that this be
handled publicly unless it's Remote Code Exec or equivalent (e.g.
CVE-2015-3456).



====================================================================
http://wiki.qemu-project.org/download/qemu-2.3.0.tar.bz2

====================================================================
./roms/u-boot/tools/patman/series.py:
    def MakeCcFile(self, process_tags, cover_fname, raise_on_error):
        """Make a cc file for us to use for per-commit Cc automation

        Also stores in self._generated_cc to make ShowActions() faster.

        Args:
            process_tags: Process tags as if they were aliases
            cover_fname: If non-None the name of the cover letter.
            raise_on_error: True to raise an error when an alias fails
to match,
                False to just print a message.
        Return:
            Filename of temp file created
        """
        # Look for commit tags (of the form 'xxx:' at the start of the
subject)
        fname = '/tmp/patman.%d' % os.getpid()
        fd = open(fname, 'w')
        all_ccs = []
        for commit in self.commits:
            list = []
            if process_tags:
                list += gitutil.BuildEmailList(commit.tags,

raise_on_error=raise_on_error)
            list += gitutil.BuildEmailList(commit.cc_list,
                                           raise_on_error=raise_on_error)
            list += get_maintainer.GetMaintainer(commit.patch)
            all_ccs += list
            print >>fd, commit.patch, ', '.join(list)
            self._generated_cc[commit.patch] = list

        if cover_fname:
            cover_cc = gitutil.BuildEmailList(self.get('cover_cc', ''))
            print >>fd, cover_fname, ', '.join(set(cover_cc + all_ccs))

        fd.close()
        return fname
====================================================================

./roms/u-boot/lib/lzma/import_lzmasdk.sh

#!/bin/sh

usage() {
        echo "Usage: $0 lzmaVERSION.tar.bz2" >&2
        echo >&2
        exit 1
}

if [ "$1" = "" ] ; then
         usage
fi

if [ ! -f $1 ] ; then
        echo "$1 doesn't exist!" >&2
        exit 1
fi

BASENAME=`basename $1 .tar.bz2`
TMPDIR=/tmp/tmp_lib_$BASENAME
FILES="C/LzmaDec.h
      C/Types.h
      C/LzmaDec.c
      history.txt
      lzma.txt"

mkdir -p $TMPDIR
echo "Untar $1 -> $TMPDIR"
tar -jxf $1 -C $TMPDIR

for i in $FILES; do
        echo Copying  $TMPDIR/$i \-\> `basename $i`
        cp $TMPDIR/$i .
        chmod -x `basename $i`
done

echo "done!"
====================================================================
./roms/ipxe/src/util/niclist.pl:
'pci-file=s' => \( my $pci_file = '/tmp/pci.ids' ),

# Download pci.ids file and parse it
fetch_pci_ids_file($pci_url, $pci_file);
my $pci_id_map = build_pci_id_map($pci_file);
====================================================================

./net/slirp.c:
    snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d",
             (long)getpid(), instance++);
====================================================================
./tcg/tcg.c:
#ifdef DEBUG_JIT
    /* Enable this block to be able to debug the ELF image file creation.
       One can use readelf, objdump, or other inspection utilities.  */
    {
        FILE *f = fopen("/tmp/qemu.jit", "w+b");
        if (f) {
            if (fwrite(img, img_size, 1, f) != img_size) {
                /* Avoid stupid unused return value warning for fwrite.  */
            }
            fclose(f);
        }
    }
#endif
====================================================================

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993




Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.