CVE-2013-2007

Published: 21 May 2013

The qemu guest agent in Qemu 1.4.1 and earlier, as used by Xen, when started in daemon mode, uses weak permissions for certain files, which allows local users to read and write to these files.

Priority

Low

Status

Package Release Status
qemu
Launchpad, Ubuntu, Debian
Upstream
Released (1.5.0)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(1.5.0+dfsg-3ubuntu2)
Patches:
Upstream: http://git.qemu.org/?p=qemu.git;a=commit;h=c689b4f1bac352dcfd6ecb9a1d45337de0f1de67
Binaries built from this source package are in Universe and so are supported by the community.
qemu-kvm
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: http://git.qemu.org/?p=qemu.git;a=commit;h=c689b4f1bac352dcfd6ecb9a1d45337de0f1de67
xen
Launchpad, Ubuntu, Debian
Upstream Ignored
(no intention to patch)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(code not present)
xen-3.3
Launchpad, Ubuntu, Debian
Upstream Ignored
(no intention to patch)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Notes

AuthorNote
mdeslaur
qemu guest agent is shipped in qemu-kvm binary package in
precise. It's not built in quantal. It's in the qemu-guest-agent
package in raring+
seth-arnold
I didn't see the qga.c or related files in xen-3.3 or xen packages
mdeslaur
although we shipped the guest agent in the precise qemu-kvm
package, we did not ship any init script. Users of this tool
are advised to configure it to creates files in directories
with appropriate permissions.
we will not be releasing an update for precise.

References

Bugs