|Description||Qemu before version 2.9 is vulnerable to an improper link following when built with the VirtFS. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
|NVD severity||high (attack range: remote)|
Vulnerable and fixed packages
The table below lists information on source packages.
|qemu (PTS)||jessie (security), jessie||1:2.1+dfsg-12+deb8u6||vulnerable|
|stretch (security), stretch||1:2.8+dfsg-6+deb9u4||fixed|
The information below is based on the following data on fixed versions.
[jessie] - qemu <no-dsa> (Minor issue)
The original proposed patch does not fix the issue, cf.
Upstream patchset: https://lists.gnu.org/archive/html/qemu-devel/2017-01/msg06225.html
If fixing this issue for older suites, then make sure not to open the
CVE-2017-7471 vulnerability and apply as well 9c6b899f7a46893ab3b671e341a2234e9c0c060e
See further details in the CVE-2017-7471 tracker entry.