In windows host, tftp arbitrary file read vulnerability

Bug #1812451 reported by jusunLee
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released

Bug Description

  if (!strncmp(req_fname, "../", 3) ||
      req_fname[strlen(req_fname) - 1] == '/' ||
      strstr(req_fname, "/../")) {
      tftp_send_error(spt, 2, "Access violation", tp);

There is file path check for not allowing escape tftp directory.
But, in windows, file path is separated by "\" backslash.
So, guest can read arbitrary file in Windows host.

This bug is variant of CVE-2019-2553 - Directory traversal vulnerability.

jusunLee (asiagaming)
description: updated
description: updated
Peter Maydell (pmaydell)
information type: Private Security → Public
Revision history for this message
Samuel thibault (samuel-thibault) wrote :
Peter Maydell (pmaydell)
Changed in qemu:
status: New → Fix Committed
Thomas Huth (th-huth)
Changed in qemu:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.