[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 2/2] qemu-img: CVE-XXX Sanitize untrusted output from NBD ser
|
From: |
Richard W.M. Jones |
|
Subject: |
Re: [PATCH 2/2] qemu-img: CVE-XXX Sanitize untrusted output from NBD server |
|
Date: |
Fri, 2 Aug 2024 23:01:36 +0100 |
|
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Fri, Aug 02, 2024 at 02:26:06PM -0500, Eric Blake wrote:
> Error messages from an NBD server must be treated as untrusted; a
> malicious server can inject escape sequences to try and trigger RCE
> flaws via escape sequences to whatever terminal happens to be running
> qemu-img.
This presentation is relevant:
https://dgl.cx/2023/09/ansi-terminal-security
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://libguestfs.org
- Re: [PATCH 1/2] util: Refactor json-writer's string sanitizer to be public, (continued)