[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug 1812451] Re: In windows host, tftp arbitrary file read vulnerabilit
From: |
Thomas Huth |
Subject: |
[Bug 1812451] Re: In windows host, tftp arbitrary file read vulnerability |
Date: |
Thu, 20 Aug 2020 15:40:24 -0000 |
** Changed in: qemu
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1812451
Title:
In windows host, tftp arbitrary file read vulnerability
Status in QEMU:
Fix Released
Bug description:
https://github.com/qemu/qemu/blob/master/slirp/tftp.c#L343
if (!strncmp(req_fname, "../", 3) ||
req_fname[strlen(req_fname) - 1] == '/' ||
strstr(req_fname, "/../")) {
tftp_send_error(spt, 2, "Access violation", tp);
return;
}
There is file path check for not allowing escape tftp directory.
But, in windows, file path is separated by "\" backslash.
So, guest can read arbitrary file in Windows host.
This bug is variant of CVE-2019-2553 - Directory traversal
vulnerability.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1812451/+subscriptions
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug 1812451] Re: In windows host, tftp arbitrary file read vulnerability,
Thomas Huth <=