932267 – (CVE-2015-4037) VUL-1: CVE-2015-4037: qemu,kvm,xen: insecure temporary file use in /net/slirp.c

Bug 932267 (CVE-2015-4037) - VUL-1: CVE-2015-4037: qemu,kvm,xen: insecure temporary file use in /net/slirp.c

Summary: VUL-1: CVE-2015-4037: qemu,kvm,xen: insecure temporary file use in /net/slirp.c

Status:	RESOLVED FIXED

Alias:	CVE-2015-4037

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Deadline:	2016-01-26
Assignee:	Bruce Rogers
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/117028/
Whiteboard:	maint:running:61885:important maint:r...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-05-26 08:10 UTC by Alexander Bergmann
Modified:	2021-01-21 18:25 UTC (History)
CC List:	8 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2015-05-26 08:10:22 UTC

rh#1222892

Kurt Seifried discovered that temporary files were insecurely created in QEMU's /net/slirp.c implementation:

---
> ./net/slirp.c:
>     snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d",
>              (long)getpid(), instance++);

This one is real, used for -smb argument, to start smbd, making its configuration. Maybe tmpnam() should be used here.
---

Original report (and CVE request):

http://seclists.org/oss-sec/2015/q2/426

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1222892
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4037
http://seclists.org/oss-sec/2015/q2/538
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4037

Comment 1 Swamp Workflow Management 2015-05-26 22:00:37 UTC

bugbot adjusting priority

Comment 2 Andreas Stieger 2015-05-29 11:57:52 UTC

SLE 11 SP3 and SLE 12 only

Comment 3 Bruce Rogers 2015-06-04 15:29:10 UTC

There is now a patch for this in QEMU's master git branch:

commit 8b8f1c7e9ddb2e88a144638f6527bf70e32343e3
Author: Michael Tokarev <mjt@tls.msk.ru>
Date:   Thu May 28 14:12:26 2015 +0300

    slirp: use less predictable directory name in /tmp for smb config (CVE-2015-
4037)

Comment 9 Viktor Kijasev 2015-06-12 09:08:09 UTC

Hello guys,
I have tested the issue and file's postfix has changed.
That is ok.

leylek:/images # ls /tmp/qemu-smb.
qemu-smb.1B2j7j/ qemu-smb.9L3FFA/ qemu-smb.JcoPTT/ qemu-smb.PFROVU/ 

However when qemu console is killed (finished unexpectadly) the files are not deleted (see when it can happen Bug #934517).
That is not a regression (happening before appliying patch)

I am not sure whether from point of view of security it is correct.

Comment 10 Andreas Stieger 2015-06-12 09:15:26 UTC

(In reply to Viktor Kijasev from comment #9)
> Hello guys,
> I have tested the issue and file's postfix has changed.
> That is ok.
> 
> leylek:/images # ls /tmp/qemu-smb.
> qemu-smb.1B2j7j/ qemu-smb.9L3FFA/ qemu-smb.JcoPTT/ qemu-smb.PFROVU/ 
> 
> However when qemu console is killed (finished unexpectadly) the files are
> not deleted (see when it can happen Bug #934517).
> That is not a regression (happening before appliying patch)
> 
> I am not sure whether from point of view of security it is correct.

Having files left over upon SIGKILL is okay. Only the filename used needs to be less predictable, so that an attacker cannot put in place his own file or symlink.

Comment 11 Swamp Workflow Management 2015-06-26 13:08:08 UTC

SUSE-SU-2015:1152-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 932267,932770
CVE References: CVE-2015-3209
Sources used:
SUSE Linux Enterprise Server 11 SP3 (src):    kvm-1.4.2-0.22.31.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    kvm-1.4.2-0.22.31.1

Comment 12 Swamp Workflow Management 2015-09-09 16:13:48 UTC

SUSE-SU-2015:1519-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 893892,932267,932770
CVE References: CVE-2015-3209,CVE-2015-4037
Sources used:
SUSE Linux Enterprise Server 12 (src):    qemu-2.0.2-48.4.1
SUSE Linux Enterprise Desktop 12 (src):    qemu-2.0.2-48.4.1

Comment 13 Swamp Workflow Management 2015-10-30 16:15:22 UTC

SUSE-SU-2015:1853-1: An update that solves 8 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 877642,907514,910258,918984,923967,932267,941074,944463,944697,947165,950367,950703,950705,950706
CVE References: CVE-2014-0222,CVE-2015-4037,CVE-2015-5239,CVE-2015-6815,CVE-2015-7311,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    xen-4.2.5_14-18.2
SUSE Linux Enterprise Server 11-SP3 (src):    xen-4.2.5_14-18.2
SUSE Linux Enterprise Desktop 11-SP3 (src):    xen-4.2.5_14-18.2
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_14-18.2

Comment 14 Swamp Workflow Management 2015-11-03 10:34:56 UTC

SUSE-SU-2015:1894-1: An update that solves 8 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 877642,901488,907514,910258,918984,923967,932267,944463,944697,945167,947165,949138,949549,950367,950703,950705,950706
CVE References: CVE-2014-0222,CVE-2015-4037,CVE-2015-5239,CVE-2015-6815,CVE-2015-7311,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.3_02-26.2
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.3_02-26.2
SUSE Linux Enterprise Desktop 11-SP4 (src):    xen-4.4.3_02-26.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.3_02-26.2

Comment 15 Swamp Workflow Management 2015-11-04 16:14:52 UTC

SUSE-SU-2015:1908-1: An update that solves 8 vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 877642,901488,907514,910258,918984,923967,932267,944463,944697,945167,947165,949138,950367,950703,950705,950706
CVE References: CVE-2014-0222,CVE-2015-4037,CVE-2015-5239,CVE-2015-6815,CVE-2015-7311,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xen-4.4.3_02-22.12.1
SUSE Linux Enterprise Server 12 (src):    xen-4.4.3_02-22.12.1
SUSE Linux Enterprise Desktop 12 (src):    xen-4.4.3_02-22.12.1

Comment 16 Zdenek Kubala 2015-11-05 14:59:01 UTC

Hello, Is this bug valid for xen(sles11sp2) which is using qemu-dm(traditional)? 
Thank you

Comment 17 Charles Arnold 2015-11-05 15:19:24 UTC

(In reply to Zdenek Kubala from comment #16)
> Hello, Is this bug valid for xen(sles11sp2) which is using
> qemu-dm(traditional)? 
> Thank you

I backported the patch to qemu-dm all the way back to SLE10-SP3.
See CVE-2015-4037-qemut-smb-config-dir-name.patch in the sources.
Whether any customer has ever used this functionality is unknown.
Perhaps only basic regression testing is needed for these LTSS distros
in this case.

Comment 18 Zdenek Kubala 2015-11-06 14:50:50 UTC

(In reply to Charles Arnold from comment #17)
> (In reply to Zdenek Kubala from comment #16)
> > Hello, Is this bug valid for xen(sles11sp2) which is using
> > qemu-dm(traditional)? 
> > Thank you
> 
> I backported the patch to qemu-dm all the way back to SLE10-SP3.
> See CVE-2015-4037-qemut-smb-config-dir-name.patch in the sources.
> Whether any customer has ever used this functionality is unknown.
> Perhaps only basic regression testing is needed for these LTSS distros
> in this case.

Thx for clarification. And how can I easily reproduce it? Viktor reproduced it with qemu on sle12 but qemu-dm --help on sles11sp2 shows nothing about smb in net section.

Comment 19 Zdenek Kubala 2015-11-06 15:09:55 UTC

(In reply to Zdenek Kubala from comment #18)
> (In reply to Charles Arnold from comment #17)
> > (In reply to Zdenek Kubala from comment #16)
> > > Hello, Is this bug valid for xen(sles11sp2) which is using
> > > qemu-dm(traditional)? 
> > > Thank you
> > 
> > I backported the patch to qemu-dm all the way back to SLE10-SP3.
> > See CVE-2015-4037-qemut-smb-config-dir-name.patch in the sources.
> > Whether any customer has ever used this functionality is unknown.
> > Perhaps only basic regression testing is needed for these LTSS distros
> > in this case.
> 
> Thx for clarification. And how can I easily reproduce it? Viktor reproduced
> it with qemu on sle12 but qemu-dm --help on sles11sp2 shows nothing about
> smb in net section.

Or how to test it.

Comment 20 Charles Arnold 2015-11-06 15:47:37 UTC

(In reply to Zdenek Kubala from comment #19)
> (In reply to Zdenek Kubala from comment #18)
> > (In reply to Charles Arnold from comment #17)
> > > (In reply to Zdenek Kubala from comment #16)
> > > > Hello, Is this bug valid for xen(sles11sp2) which is using
> > > > qemu-dm(traditional)? 
> > > > Thank you
> > > 
> > > I backported the patch to qemu-dm all the way back to SLE10-SP3.
> > > See CVE-2015-4037-qemut-smb-config-dir-name.patch in the sources.
> > > Whether any customer has ever used this functionality is unknown.
> > > Perhaps only basic regression testing is needed for these LTSS distros
> > > in this case.
> > 
> > Thx for clarification. And how can I easily reproduce it? Viktor reproduced
> > it with qemu on sle12 but qemu-dm --help on sles11sp2 shows nothing about
> > smb in net section.
> 
> Or how to test it.

There was a lot of code rewrite in this area from 11sp2 to 12 (functions
moved to new files and renamed, etc.). It may not have worked well or at
all in the old code base. So in this case I think undocumented == unsupported
feature and therefore requires no testing.

Comment 21 Zdenek Kubala 2015-11-09 09:00:19 UTC

Makes sense. Thx.

Comment 22 Swamp Workflow Management 2015-11-10 17:10:33 UTC

SUSE-SU-2015:1952-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 877642,932267,944463,944697,950367,950703,950705,950706
CVE References: CVE-2014-0222,CVE-2015-4037,CVE-2015-5239,CVE-2015-6815,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    xen-4.1.6_08-20.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    xen-4.1.6_08-20.1

Comment 23 Swamp Workflow Management 2015-11-11 14:08:23 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-11-25.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62332

Comment 24 Swamp Workflow Management 2015-11-12 11:10:26 UTC

openSUSE-SU-2015:1964-1: An update that solves 12 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 877642,932267,938344,939709,939712,941074,944463,944697,947165,950367,950703,950705,950706,951845
CVE References: CVE-2014-0222,CVE-2015-4037,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166,CVE-2015-5239,CVE-2015-6815,CVE-2015-7311,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971,CVE-2015-7972
Sources used:
openSUSE 13.1 (src):    xen-4.3.4_06-50.1

Comment 25 Swamp Workflow Management 2015-11-12 11:13:31 UTC

openSUSE-SU-2015:1965-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 877642,932267,950367,950703,950705,950706,951845
CVE References: CVE-2014-0222,CVE-2015-4037,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971,CVE-2015-7972
Sources used:
openSUSE Leap 42.1 (src):    xen-4.5.1_12-3.1

Comment 26 Swamp Workflow Management 2015-11-17 10:13:01 UTC

openSUSE-SU-2015:2003-1: An update that solves 13 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 877642,901488,907514,910258,918984,923967,925466,932267,935634,938344,939709,939712,944463,944697,945167,947165,949138,950367,950703,950705,950706,951845
CVE References: CVE-2014-0222,CVE-2015-3259,CVE-2015-4037,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166,CVE-2015-5239,CVE-2015-6815,CVE-2015-7311,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971,CVE-2015-7972
Sources used:
openSUSE 13.2 (src):    xen-4.4.3_02-30.1

Comment 27 Marcus Meissner 2015-12-19 16:38:24 UTC

all were released. needinfo satisfied i think.

Comment 28 Swamp Workflow Management 2016-01-19 11:50:52 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-01-26.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62448

Comment 29 Swamp Workflow Management 2016-03-04 21:14:24 UTC

SUSE-SU-2016:0658-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 877642,932267,944463,950706,953527,954405,956408,956411,957988,958009,958493,958523,962360
CVE References: CVE-2014-0222,CVE-2015-4037,CVE-2015-5239,CVE-2015-5307,CVE-2015-7504,CVE-2015-7512,CVE-2015-7971,CVE-2015-8104,CVE-2015-8339,CVE-2015-8340,CVE-2015-8504,CVE-2015-8550,CVE-2015-8555
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    xen-3.2.3_17040_46-0.23.2