[Bug 1812451] Re: In windows host, tftp arbitrary file read vulnerabilit

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 1812451] Re: In windows host, tftp arbitrary file read vulnerabilit

From:	Thomas Huth
Subject:	[Bug 1812451] Re: In windows host, tftp arbitrary file read vulnerability
Date:	Thu, 20 Aug 2020 15:40:24 -0000

** Changed in: qemu
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1812451

Title:
  In windows host, tftp arbitrary file read vulnerability

Status in QEMU:
  Fix Released

Bug description:
  https://github.com/qemu/qemu/blob/master/slirp/tftp.c#L343

    if (!strncmp(req_fname, "../", 3) ||
        req_fname[strlen(req_fname) - 1] == '/' ||
        strstr(req_fname, "/../")) {
        tftp_send_error(spt, 2, "Access violation", tp);
        return;
    }

  There is file path check for not allowing escape tftp directory.
  But, in windows, file path is separated by "\" backslash.
  So, guest can read arbitrary file in Windows host.

  This bug is variant of CVE-2019-2553 - Directory traversal
  vulnerability.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1812451/+subscriptions

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug 1812451] Re: In windows host, tftp arbitrary file read vulnerability, Thomas Huth <=

Prev by Date: [Bug 1872113] Re: qemu docs fails to build with Sphinx 3.0.x
Next by Date: [Bug 1859310] Re: libvirt probing fails due to assertion failure with KVM and 'none' machine type
Previous by thread: [Bug 1872113] Re: qemu docs fails to build with Sphinx 3.0.x
Next by thread: [Bug 1859310] Re: libvirt probing fails due to assertion failure with KVM and 'none' machine type
Index(es):
- Date
- Thread