FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

qemu -- "drive_init()" Disk Format Security Bypass

Affected packages
qemu < 0.9.1_6
0.9.1s.20070101* <= qemu < 0.9.1s.20080302_6
qemu-devel < 0.9.1_6
0.9.1s.20070101* <= qemu-devel < 0.9.1s.20080302_6

Details

VuXML ID 8950ac62-1d30-11dd-9388-0211060005df
Discovery 2008-04-28
Entry 2008-05-08

Secunia reports:

A vulnerability has been reported in QEMU, which can be exploited by malicious, local users to bypass certain security restrictions.

The vulnerability is caused due to the "drive_init()" function in vl.c determining the format of a disk from data contained in the disk's header. This can be exploited by a malicious user in a guest system to e.g. read arbitrary files on the host by writing a fake header to a raw formatted disk image.

References

CVE Name CVE-2008-2004
Message http://lists.gnu.org/archive/html/qemu-devel/2008-04/msg00675.html
URL http://secunia.com/advisories/30111/