* [Bug 1812451] Re: In windows host, tftp arbitrary file read vulnerability
[not found] <154785010249.1233.12902128942224805447.malonedeb@gac.canonical.com>
@ 2020-01-20 14:59 ` Peter Maydell
2020-01-20 15:02 ` Samuel thibault
` (2 subsequent siblings)
3 siblings, 0 replies; 4+ messages in thread
From: Peter Maydell @ 2020-01-20 14:59 UTC (permalink / raw)
To: qemu-devel
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1812451
Title:
In windows host, tftp arbitrary file read vulnerability
Status in QEMU:
New
Bug description:
https://github.com/qemu/qemu/blob/master/slirp/tftp.c#L343
if (!strncmp(req_fname, "../", 3) ||
req_fname[strlen(req_fname) - 1] == '/' ||
strstr(req_fname, "/../")) {
tftp_send_error(spt, 2, "Access violation", tp);
return;
}
There is file path check for not allowing escape tftp directory.
But, in windows, file path is separated by "\" backslash.
So, guest can read arbitrary file in Windows host.
This bug is variant of CVE-2019-2553 - Directory traversal
vulnerability.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1812451/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug 1812451] Re: In windows host, tftp arbitrary file read vulnerability
[not found] <154785010249.1233.12902128942224805447.malonedeb@gac.canonical.com>
2020-01-20 14:59 ` [Bug 1812451] Re: In windows host, tftp arbitrary file read vulnerability Peter Maydell
@ 2020-01-20 15:02 ` Samuel thibault
2020-01-20 15:06 ` Peter Maydell
2020-08-20 15:40 ` Thomas Huth
3 siblings, 0 replies; 4+ messages in thread
From: Samuel thibault @ 2020-01-20 15:02 UTC (permalink / raw)
To: qemu-devel
This is fixed upstream by
https://gitlab.freedesktop.org/slirp/libslirp/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1812451
Title:
In windows host, tftp arbitrary file read vulnerability
Status in QEMU:
Fix Committed
Bug description:
https://github.com/qemu/qemu/blob/master/slirp/tftp.c#L343
if (!strncmp(req_fname, "../", 3) ||
req_fname[strlen(req_fname) - 1] == '/' ||
strstr(req_fname, "/../")) {
tftp_send_error(spt, 2, "Access violation", tp);
return;
}
There is file path check for not allowing escape tftp directory.
But, in windows, file path is separated by "\" backslash.
So, guest can read arbitrary file in Windows host.
This bug is variant of CVE-2019-2553 - Directory traversal
vulnerability.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1812451/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug 1812451] Re: In windows host, tftp arbitrary file read vulnerability
[not found] <154785010249.1233.12902128942224805447.malonedeb@gac.canonical.com>
2020-01-20 14:59 ` [Bug 1812451] Re: In windows host, tftp arbitrary file read vulnerability Peter Maydell
2020-01-20 15:02 ` Samuel thibault
@ 2020-01-20 15:06 ` Peter Maydell
2020-08-20 15:40 ` Thomas Huth
3 siblings, 0 replies; 4+ messages in thread
From: Peter Maydell @ 2020-01-20 15:06 UTC (permalink / raw)
To: qemu-devel
** Changed in: qemu
Status: New => Fix Committed
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1812451
Title:
In windows host, tftp arbitrary file read vulnerability
Status in QEMU:
Fix Committed
Bug description:
https://github.com/qemu/qemu/blob/master/slirp/tftp.c#L343
if (!strncmp(req_fname, "../", 3) ||
req_fname[strlen(req_fname) - 1] == '/' ||
strstr(req_fname, "/../")) {
tftp_send_error(spt, 2, "Access violation", tp);
return;
}
There is file path check for not allowing escape tftp directory.
But, in windows, file path is separated by "\" backslash.
So, guest can read arbitrary file in Windows host.
This bug is variant of CVE-2019-2553 - Directory traversal
vulnerability.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1812451/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug 1812451] Re: In windows host, tftp arbitrary file read vulnerability
[not found] <154785010249.1233.12902128942224805447.malonedeb@gac.canonical.com>
` (2 preceding siblings ...)
2020-01-20 15:06 ` Peter Maydell
@ 2020-08-20 15:40 ` Thomas Huth
3 siblings, 0 replies; 4+ messages in thread
From: Thomas Huth @ 2020-08-20 15:40 UTC (permalink / raw)
To: qemu-devel
** Changed in: qemu
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1812451
Title:
In windows host, tftp arbitrary file read vulnerability
Status in QEMU:
Fix Released
Bug description:
https://github.com/qemu/qemu/blob/master/slirp/tftp.c#L343
if (!strncmp(req_fname, "../", 3) ||
req_fname[strlen(req_fname) - 1] == '/' ||
strstr(req_fname, "/../")) {
tftp_send_error(spt, 2, "Access violation", tp);
return;
}
There is file path check for not allowing escape tftp directory.
But, in windows, file path is separated by "\" backslash.
So, guest can read arbitrary file in Windows host.
This bug is variant of CVE-2019-2553 - Directory traversal
vulnerability.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1812451/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-08-20 15:47 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <154785010249.1233.12902128942224805447.malonedeb@gac.canonical.com>
2020-01-20 14:59 ` [Bug 1812451] Re: In windows host, tftp arbitrary file read vulnerability Peter Maydell
2020-01-20 15:02 ` Samuel thibault
2020-01-20 15:06 ` Peter Maydell
2020-08-20 15:40 ` Thomas Huth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).