CVE-2008-1945

Published: 08 August 2008

QEMU 0.9.0 does not properly handle changes to removable media, which allows guest OS users to read arbitrary files on the host OS by using the diskformat: parameter in the -usbdevice option to modify the disk-image header to identify a different format, a related issue to CVE-2008-2004.

Priority

Medium

Status

Package Release Status
kvm
Launchpad, Ubuntu, Debian 		Upstream Needs triage

qemu
Launchpad, Ubuntu, Debian 		Upstream Needs triage

Patches:
Vendor: http://www.mandriva.com/security/advisories?name=MDVSA-2008:162
qemu-kvm
Launchpad, Ubuntu, Debian 		Upstream Needs triage

xen-3.0
Launchpad, Ubuntu, Debian 		Upstream Needs triage

Patches:
Vendor: http://people.ubuntu.com/~kees/qemu/xen-qemu-usbdisk-no-auto-format-CVE-2008-1945.patch
xen-3.1
Launchpad, Ubuntu, Debian 		Upstream Needs triage

Patches:
Vendor: http://people.ubuntu.com/~kees/qemu/xen-qemu-usbdisk-no-auto-format-CVE-2008-1945.patch
Binaries built from this source package are in Universe and so are supported by the community.
xen-3.2
Launchpad, Ubuntu, Debian 		Upstream Needs triage

Patches:
Vendor: http://people.ubuntu.com/~kees/qemu/xen-qemu-usbdisk-no-auto-format-CVE-2008-1945.patch
Binaries built from this source package are in Universe and so are supported by the community.
xen-3.3
Launchpad, Ubuntu, Debian 		Upstream Not vulnerable

Notes

AuthorNote
kees 
this follows CVE-2008-2004 chronologically.
xen-utils-3.x is in universe.
mdeslaur 
patch is xen-qemu-usbdisk-no-auto-format.patch in RHEL5

References

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu 14.04 Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM

Further reading