ping On Tue, Feb 21, 2023 at 1:41 PM Philippe Mathieu-Daudé <phi...@linaro.org> wrote:
> On 21/2/23 12:21, Konstantin Kostiuk wrote: > > resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423 > > fixes: CVE-2023-0664 > > > > CVE Technical details: The cached installer for QEMU Guest Agent in > c:\windows\installer > > (https://github.com/qemu/qemu/blob/master/qga/installer/qemu-ga.wxs), > > can be leveraged to begin a repair of the installation without validation > > that the repair is being performed by an administrative user. The MSI > repair > > custom action "RegisterCom" and "UnregisterCom" is not set for > impersonation > > which allows for the actions to occur as the SYSTEM account > > (LINE 137 AND 145 of qemu-ga.wxs). The custom action also leverages > cmd.exe > > to run qemu-ga.exe in line 134 and 142 which causes an interactive > command > > shell to spawn even though the MSI is set to be non-interactive on line > 53. > > > > v1: > https://lists.nongnu.org/archive/html/qemu-devel/2023-02/msg05661.html > > Per > > https://lore.kernel.org/qemu-devel/caa8xkjuqfbvgdvj059fvgosjkv+kz5jb1gfmnz+ao-twh7f...@mail.gmail.com/ > : > > Reported-by: Brian Wiltse <brian.wil...@live.com> > > > v1 -> v2: > > Add explanation into commit messages > > Thanks, much appreciated! > > > Konstantin Kostiuk (2): > > qga/win32: Remove change action from MSI installer > > qga/win32: Use rundll for VSS installation > > > > qga/installer/qemu-ga.wxs | 11 ++++++----- > > qga/vss-win32/install.cpp | 9 +++++++++ > > qga/vss-win32/qga-vss.def | 2 ++ > > 3 files changed, 17 insertions(+), 5 deletions(-) > > > > -- > > 2.25.1 > > > >
