Bug 1119493 (CVE-2018-16872) - VUL-0: CVE-2018-16872: kvm,qemu: usb-mtp: path traversal by host filesystem manipulation in Media Transfer Protocol (MTP)
Summary: VUL-0: CVE-2018-16872: kvm,qemu: usb-mtp: path traversal by host filesystem m...
Status: RESOLVED FIXED
Alias: CVE-2018-16872
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Bruce Rogers
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/220991/
Whiteboard: CVSSv3:SUSE:CVE-2018-16872:5.0:(AV:L/...
Keywords:
Depends on:
Blocks: 1119494
  Show dependency treegraph
 
Reported: 2018-12-14 08:31 UTC by Alexander Bergmann
Modified: 2021-05-27 12:47 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2018-12-14 08:31:16 UTC
rh#1656114 / CVE-2018-16872

A flaw was found in qemu Media Transfer Protocol (MTP). The code opening files
in usb_mtp_get_object and usb_mtp_get_partial_object and directories in
usb_mtp_object_readdir doesn't consider that the underlying filesystem may have
changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical
TOCTTOU problem. An attacker with write access to the host filesystem shared with
a guest can use this property to navigate the host filesystem in the context of
the QEMU process and read any file the QEMU process has access to. Access to the
filesystem may be local or via a network share protocol such as CIFS.

Upstream patch:
https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg03135.html

Reference:
https://www.openwall.com/lists/oss-security/2018/12/13/11

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1656114
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16872
http://seclists.org/oss-sec/2018/q4/242
https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg03135.html
Comment 1 Bruce Rogers 2019-01-09 21:47:37 UTC
Appears to affect qemu versions as old as v2.1.0, so SLE version back to SLE12-SP1, and their corresponding Leap versions.
Comment 2 Bruce Rogers 2019-01-09 21:48:22 UTC
Fix added to qemu about to be submitted for openSUSE:Factory and SLE15-SP1.
Comment 3 Bruce Rogers 2019-01-25 23:07:52 UTC
Fix added to qemu packages for the following releases:
SLE12-SP1
SLE12-SP2
SLE12-SP3
SLE12-SP4
SLE15

That should be all the needed SLE releases.
Comment 4 Bruce Rogers 2019-01-25 23:19:16 UTC
Fixed.
Comment 6 Swamp Workflow Management 2019-02-18 20:13:57 UTC
SUSE-SU-2019:0423-1: An update that solves 5 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1063993,1079730,1100408,1101982,1112646,1114957,1116717,1117275,1119493,1121600,1123156,1123179
CVE References: CVE-2018-16872,CVE-2018-18954,CVE-2018-19364,CVE-2018-19489,CVE-2019-6778
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    qemu-2.11.2-9.20.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    qemu-2.11.2-9.20.1, qemu-linux-user-2.11.2-9.20.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    qemu-2.11.2-9.20.1
Comment 7 Swamp Workflow Management 2019-02-19 17:14:07 UTC
SUSE-SU-2019:0435-1: An update that solves 5 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1063993,1079730,1100408,1101982,1112646,1114957,1116717,1117275,1119493,1121600,1123156,1123179
CVE References: CVE-2018-16872,CVE-2018-18954,CVE-2018-19364,CVE-2018-19489,CVE-2019-6778
Sources used:
SUSE Linux Enterprise Server 12-SP4 (src):    qemu-2.11.2-5.8.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    qemu-2.11.2-5.8.1
Comment 8 Swamp Workflow Management 2019-02-22 17:10:07 UTC
SUSE-SU-2019:0471-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1116717,1117275,1119493,1123156
CVE References: CVE-2018-16872,CVE-2018-19364,CVE-2018-19489,CVE-2019-6778
Sources used:
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    qemu-2.3.1-33.20.1
Comment 9 Swamp Workflow Management 2019-02-26 11:13:46 UTC
SUSE-SU-2019:0489-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1084604,1113231,1116717,1117275,1119493,1123156
CVE References: CVE-2017-13672,CVE-2017-13673,CVE-2018-16872,CVE-2018-19364,CVE-2018-19489,CVE-2018-7858,CVE-2019-6778
Sources used:
SUSE OpenStack Cloud 7 (src):    qemu-2.6.2-41.49.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    qemu-2.6.2-41.49.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    qemu-2.6.2-41.49.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    qemu-2.6.2-41.49.1
SUSE Enterprise Storage 4 (src):    qemu-2.6.2-41.49.1
Comment 10 Swamp Workflow Management 2019-02-27 11:22:45 UTC
openSUSE-SU-2019:0254-1: An update that solves 5 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1063993,1079730,1100408,1101982,1112646,1114957,1116717,1117275,1119493,1121600,1123156,1123179
CVE References: CVE-2018-16872,CVE-2018-18954,CVE-2018-19364,CVE-2018-19489,CVE-2019-6778
Sources used:
openSUSE Leap 15.0 (src):    qemu-2.11.2-lp150.7.18.1, qemu-linux-user-2.11.2-lp150.7.18.1, qemu-testsuite-2.11.2-lp150.7.18.1
Comment 11 Swamp Workflow Management 2019-03-11 23:10:17 UTC
SUSE-SU-2019:0582-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1056334,1056386,1084604,1113231,1114957,1116717,1117275,1119493,1121600,1123156
CVE References: CVE-2017-13672,CVE-2017-13673,CVE-2018-16872,CVE-2018-18954,CVE-2018-19364,CVE-2018-19489,CVE-2018-7858,CVE-2019-6778
Sources used:
SUSE Linux Enterprise Server 12-SP3 (src):    qemu-2.9.1-6.28.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    qemu-2.9.1-6.28.1
SUSE CaaS Platform ALL (src):    qemu-2.9.1-6.28.1
SUSE CaaS Platform 3.0 (src):    qemu-2.9.1-6.28.1
Comment 12 Swamp Workflow Management 2019-03-28 23:10:40 UTC
openSUSE-SU-2019:1074-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1056334,1056386,1084604,1113231,1114957,1116717,1117275,1119493,1121600,1123156
CVE References: CVE-2017-13672,CVE-2017-13673,CVE-2018-16872,CVE-2018-18954,CVE-2018-19364,CVE-2018-19489,CVE-2018-7858,CVE-2019-6778
Sources used:
openSUSE Leap 42.3 (src):    qemu-2.9.1-56.1, qemu-linux-user-2.9.1-56.1, qemu-testsuite-2.9.1-56.2

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2019-04-27 22:15:27 UTC
SUSE-SU-2019:0471-2: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1116717,1117275,1119493,1123156
CVE References: CVE-2018-16872,CVE-2018-19364,CVE-2018-19489,CVE-2019-6778
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    qemu-2.3.1-33.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.