CVE-2018-16872

NameCVE-2018-16872
DescriptionA flaw was found in qemu Media Transfer Protocol (MTP). The code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical TOCTTOU problem. An attacker with write access to the host filesystem shared with a guest can use this property to navigate the host filesystem in the context of the QEMU process and read any file the QEMU process has access to. Access to the filesystem may be local or via a network share protocol such as CIFS.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1694-1, DSA-4454-1
NVD severitylow (attack range: remote)
Debian Bugs916397

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
qemu (PTS)jessie1:2.1+dfsg-12+deb8u6vulnerable
jessie (security)1:2.1+dfsg-12+deb8u11fixed
stretch1:2.8+dfsg-6+deb9u5vulnerable
stretch (security)1:2.8+dfsg-6+deb9u8fixed
buster1:3.1+dfsg-8~deb10u1fixed
bullseye, sid1:3.1+dfsg-8fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
qemusource(unstable)1:3.1+dfsg-2low916397
qemusourcejessie1:2.1+dfsg-12+deb8u10lowDLA-1694-1
qemusourcestretch1:2.8+dfsg-6+deb9u6lowDSA-4454-1
qemu-kvmsource(unstable)(unfixed)low

Notes

https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg03135.html
https://git.qemu.org/?p=qemu.git;a=commit;h=bab9df35ce73d1c8e19a37e2737717ea1c984dc1

Search for package or bug name: Reporting problems