[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 2/2] qemu-img: CVE-XXX Sanitize untrusted output from NBD ser
|
From: |
Richard W.M. Jones |
|
Subject: |
Re: [PATCH 2/2] qemu-img: CVE-XXX Sanitize untrusted output from NBD server |
|
Date: |
Sat, 3 Aug 2024 09:20:31 +0100 |
|
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Fri, Aug 02, 2024 at 11:01:36PM +0100, Richard W.M. Jones wrote:
> On Fri, Aug 02, 2024 at 02:26:06PM -0500, Eric Blake wrote:
> > Error messages from an NBD server must be treated as untrusted; a
> > malicious server can inject escape sequences to try and trigger RCE
> > flaws via escape sequences to whatever terminal happens to be running
> > qemu-img.
>
> This presentation is relevant:
>
> https://dgl.cx/2023/09/ansi-terminal-security
This took way too long, but ...
$ wget http://oirase.annexia.org/tmp/nyan.c
$ nbdkit --log=null cc /tmp/nyan.c --run 'qemu-img info "$uri"'
Needs nbdkit >= 1.40, and don't worry, it doesn't exploit the terminal
except for silly internet memes.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html
- Re: [PATCH 1/2] util: Refactor json-writer's string sanitizer to be public, (continued)