CVE-2011-2527

Publication date 26 July 2011

Last updated 24 July 2024

Ubuntu priority

The change_process_uid function in os-posix.c in Qemu 0.14.0 and earlier does not properly drop group privileges when the -runas option is used, which allows local guest users to access restricted files on the host.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
qemu-kvm	11.04 natty	Fixed 0.14.0+noroms-0ubuntu4.4
	10.10 maverick	Fixed 0.12.5+noroms-0ubuntu7.10
	10.04 LTS lucid	Fixed 0.12.3+noroms-0ubuntu9.15
	8.04 LTS hardy	Not in release

How can I get the fixes?
What do statuses mean?
Patch details

Notes

jdstrand

potential privilege escalation via supplementary groups

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
qemu-kvm	Vendor: http://www.debian.org/security/2011/dsa-2282

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-1177-1
QEMU vulnerability
27 July 2011

Other references

https://www.cve.org/CVERecord?id=CVE-2011-2527