[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request -- libguestfs: missing disk format
From:       Eugene Teo <eugene () redhat ! com>
Date:       2010-10-18 17:18:58
Message-ID: 4CBC8182.6060903 () redhat ! com
[Download RAW message or body]

On 10/19/2010 12:10 AM, Petr Matousek wrote:
> Hello Steve, vendors.
>
> Description:
> Libguestfs doesn't currently allow the format of a disk to be specified explicitly.
> Because of that malicious guest admin can exploit automatic image format detection
> in qemu, when the libguestfs is used to administer the image, to read arbitrary
> file on host via forging a image header with backing store.
>
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=643958
>
> Could you please allocate a CVE identifier for this issue?

Petr, please use CVE-2010-3851. Thanks.

Eugene
-- 
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }
[prev in list] [next in list] [prev in thread] [next in thread]