Source: qemu Version: 1:5.2+dfsg-6 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for qemu. CVE-2021-20263[0]: | A flaw was found in the virtio-fs shared file system daemon | (virtiofsd) of QEMU. The new 'xattrmap' option may cause the | 'security.capability' xattr in the guest to not drop on file write, | potentially leading to a modified, privileged executable in the guest. | In rare circumstances, this flaw could be used by a malicious user to | elevate their privileges within the guest. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-20263 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20263 [1] https://www.openwall.com/lists/oss-security/2021/03/08/1 [2] https://git.qemu.org/?p=qemu.git;a=commit;h=e586edcb410543768ef009eaa22a2d9dd4a53846 Regards, Salvatore
