CVE-2013-2007
Published: 21 May 2013
The qemu guest agent in Qemu 1.4.1 and earlier, as used by Xen, when started in daemon mode, uses weak permissions for certain files, which allows local users to read and write to these files.
Notes
Author | Note |
---|---|
mdeslaur | qemu guest agent is shipped in qemu-kvm binary package in precise. It's not built in quantal. It's in the qemu-guest-agent package in raring+ |
seth-arnold | I didn't see the qga.c or related files in xen-3.3 or xen packages |
mdeslaur | although we shipped the guest agent in the precise qemu-kvm package, we did not ship any init script. Users of this tool are advised to configure it to creates files in directories with appropriate permissions. we will not be releasing an update for precise. |
Priority
Status
Package | Release | Status |
---|---|---|
qemu Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
precise |
Does not exist
|
|
quantal |
Does not exist
|
|
raring |
Ignored
(end of life)
|
|
saucy |
Not vulnerable
(1.5.0+dfsg-3ubuntu2)
|
|
upstream |
Released
(1.5.0)
|
|
Patches: upstream: http://git.qemu.org/?p=qemu.git;a=commit;h=c689b4f1bac352dcfd6ecb9a1d45337de0f1de67 |
||
Binaries built from this source package are in Universe and so are supported by the community. | ||
qemu-kvm Launchpad, Ubuntu, Debian |
lucid |
Not vulnerable
(code not present)
|
precise |
Ignored
|
|
quantal |
Not vulnerable
(code not compiled)
|
|
raring |
Does not exist
|
|
saucy |
Does not exist
|
|
upstream |
Needed
|
|
Patches: upstream: http://git.qemu.org/?p=qemu.git;a=commit;h=c689b4f1bac352dcfd6ecb9a1d45337de0f1de67 |
||
xen Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
precise |
Not vulnerable
(code not present)
|
|
quantal |
Not vulnerable
(code not present)
|
|
raring |
Not vulnerable
(code not present)
|
|
saucy |
Not vulnerable
(code not present)
|
|
upstream |
Ignored
(no intention to patch)
|
|
xen-3.3 Launchpad, Ubuntu, Debian |
lucid |
Not vulnerable
(code not present)
|
precise |
Does not exist
|
|
quantal |
Does not exist
|
|
raring |
Does not exist
|
|
saucy |
Does not exist
|
|
upstream |
Ignored
(no intention to patch)
|