QEMU

In windows host, tftp arbitrary file read vulnerability

Bug #1812451 reported by jusunLee on 2019-01-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	QEMU	Fix Released	Undecided	Unassigned

Bug Description

https://github.com/qemu/qemu/blob/master/slirp/tftp.c#L343

  if (!strncmp(req_fname, "../", 3) ||
      req_fname[strlen(req_fname) - 1] == '/' ||
      strstr(req_fname, "/../")) {
      tftp_send_error(spt, 2, "Access violation", tp);
      return;
  }

There is file path check for not allowing escape tftp directory.
But, in windows, file path is separated by "\" backslash.
So, guest can read arbitrary file in Windows host.

This bug is variant of CVE-2019-2553 - Directory traversal vulnerability.

See original description

jusunLee (asiagaming) on 2019-01-19

description:	updated
description:	updated

Peter Maydell (pmaydell) on 2020-01-20

information type:

Private Security → Public

Revision history for this message

Samuel thibault (samuel-thibault) wrote on 2020-01-20:

This is fixed upstream by https://gitlab.freedesktop.org/slirp/libslirp/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4

Peter Maydell (pmaydell) on 2020-01-20

Changed in qemu:
status:	New → Fix Committed

Thomas Huth (th-huth) on 2020-08-20

Changed in qemu:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.